https://wiki.archlinux.org/api.php?action=feedcontributions&user=Sironitomas&feedformat=atomArchWiki - User contributions [en]2024-03-28T10:50:34ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Internet_sharing&diff=170829Internet sharing2011-11-22T17:00:55Z<p>Sironitomas: /* Instructions */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[fr:Partage de connexion]]<br />
[[es:Conexion a Internet compartida]]<br />
{{i18n|Internet_Share}}<br />
<br />
==Preface==<br />
Let's assume you have an Internet connection and you want to share it. There are two main ways to do that.<br />
<br />
<pre><br />
Internet pc1<br />
1. ----> |router| ---> |switch| --->-<<br />
pc2 ..etc<br />
<br />
Internet<br />
2. ------> |pc1 (router)| --> pc2..etc<br />
</pre><br />
<br />
==Instructions==<br />
I'll explain the second way (it is easier and requires one less machine).<br />
<ol><br />
<li>Install a second network card to the first PC.</li><br />
<br />
<li>Connect the two PCs using [http://en.wikipedia.org/wiki/Ethernet_crossover_cable crossover cable] or a [http://en.wikipedia.org/wiki/Network_switch switch]. If one of the two computers has a gigabit ethernet card, a regular ethernet cable should work.</li><br />
<br />
<li>Let's assume that the first card (with the Internet) is called '''''internet0''''' and the other one (for the sharing) is called '''''local0'''''. (If those two keep switching at every boot read [http://wiki.archlinux.org/index.php/Udev#Mixed_Up_Devices.2C_Sound.2FNetwork_Cards_Changing_Order_Each_Boot this] ). The network interface of the client machine will be called '''''local1'''''.<br />
<br />
The interfaces '''''local0''''' and '''''local1''''' will have to be in the same network.</li><br />
<br />
<li>Configure the second network card with:<br />
:'''IP:''' 192.168.0.1<br />
:'''Netmask:''' 255.255.255.0<br />
or enter in a console (as root)<br />
<pre>ifconfig local0 192.168.0.1 netmask 255.255.255.0<br />
ifconfig local0 up</pre></li><br />
<br />
<li>To make this permanent, install [[netcfg]] if you don't have it and set up a network profile in '''/etc/network.d''', drawing on the examples in '''/etc/network.d/examples'''. Or, put the above lines in '''/etc/rc.local'''.<br />
<br />
<li>Enable packet forwarding. To do so, write a "'''1'''" to '''/proc/sys/net/ipv4/ip_forward''' with:<br />
<pre>echo 1 > /proc/sys/net/ipv4/ip_forward</pre></li><br />
<br />
<li>Edit '''/etc/sysctl.conf''' and add this line, which will make the previous change persistant after a reboot.<br />
<pre>net.ipv4.ip_forward=1</pre><br />
If you are using ipv6, use these lines:<br />
<pre>net.ipv6.conf.default.forwarding=1<br />
net.ipv6.conf.all.forwarding=1</pre></li><br />
<br />
<li>Install iptables, enable NAT (needed to share Internet), save and start it.<br />
<pre>pacman -S iptables<br />
iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE<br />
rc.d save iptables<br />
rc.d start iptables</pre></li><br />
<br />
<li>Add iptables in your DAEMONS array in your /etc/rc.conf so that it is started each time.</li><br />
<br />
<li>Go to the client PC and set:<br />
:'''IP:''' 192.168.0.2<br />
:'''Netmask:''' 255.255.255.0<br />
:'''Gateway:''' 192.168.0.1<br />
:'''DNS:''' The same DNS as the first PC<br />
<br />
<pre>ifconfig local1 192.168.0.2 netmask 255.255.255.0<br />
ifconfig local1 up<br />
route add default gw 192.168.0.1 local1<br />
echo "nameserver <adr of nameserver>" >> /etc/resolv.conf<br />
</pre><br />
<br />
You can figure out the address of the nameserver by looking into the /etc/resolv.conf of PC1, if its Internet connection is already established. If you don't have a nameserver, you can use [https://code.google.com/speed/public-dns/ Google Public DNS] which is relatively fast. Its addresses are '''8.8.8.8''' and '''8.8.4.4'''.</li></ol><br />
<br />
{{Note| Of course, this also works with a mobile broadband connection (usually called ppp0 on PC1)}}<br />
<br />
That's it. The client PC should now have Internet.<br />
<br />
==See also==<br />
*[[Sharing ppp connection with wlan interface]]<br />
*[[Simple stateful firewall]]<br />
*[[Router]]<br />
*[[USB 3G Modem]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Internet_sharing&diff=169261Internet sharing2011-11-09T02:10:36Z<p>Sironitomas: </p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[fr:Partage de connexion]]<br />
[[es:Conexion a Internet compartida]]<br />
{{i18n|Internet_Share}}<br />
<br />
==Preface==<br />
Let's assume you have an Internet connection and you want to share it. There are two main ways to do that.<br />
<br />
<pre><br />
Internet pc1<br />
1. ----> |router| ---> |switch| --->-<<br />
pc2 ..etc<br />
<br />
Internet<br />
2. ------> |pc1 (router)| --> pc2..etc<br />
</pre><br />
<br />
==Instructions==<br />
I'll explain the second way (it is easier and requires one less machine).<br />
<ol><br />
<li>Install a second network card to the first PC.</li><br />
<br />
<li>Connect the two PCs using [http://en.wikipedia.org/wiki/Ethernet_crossover_cable crossover cable] or a [http://en.wikipedia.org/wiki/Network_switch switch]. If one of the two computers has a gigabit ethernet card, a regular ethernet cable should work.</li><br />
<br />
<li>Let's assume that the first card (with the Internet) is called '''''internet0''''' and the other one (for the sharing) is called '''''local0'''''. (If those two keep switching at every boot read [http://wiki.archlinux.org/index.php/Udev#Mixed_Up_Devices.2C_Sound.2FNetwork_Cards_Changing_Order_Each_Boot this] ). The network interface of the client machine will be called '''''local1'''''.<br />
<br />
The interfaces '''''local0''''' and '''''local1''''' will have to be in the same network.</li><br />
<br />
<li>Configure the second network card with:<br />
:'''IP:''' 192.168.0.1<br />
:'''Netmask:''' 255.255.255.0<br />
or enter in a console (as root)<br />
<pre>ifconfig local0 192.168.0.1 netmask 255.255.255.0<br />
ifconfig local0 up</pre></li><br />
<br />
<li>To make this permanent, install [[netcfg]] if you don't have it and set up a network profile in '''/etc/network.d''', drawing on the examples in '''/etc/network.d/examples'''. Or, put the above lines in '''/etc/rc.local'''.<br />
<br />
<li>Enable packet forwarding. To do so, write a "'''1'''" to '''/proc/sys/net/ipv4/ip_forward''' with:<br />
<pre>echo 1 > /proc/sys/net/ipv4/ip_forward</pre></li><br />
<br />
<li>Edit '''/etc/sysctl.conf''' and add these lines, which will make the previous change persistant after a reboot.<br />
<pre>net.ipv4.ip_forward=1<br />
net.ipv6.conf.default.forwarding=1<br />
net.ipv6.conf.all.forwarding=1</pre></li><br />
<br />
<li>Install iptables, enable NAT (needed to share Internet), save and start it.<br />
<pre>pacman -S iptables<br />
iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE<br />
rc.d save iptables<br />
rc.d start iptables</pre></li><br />
<br />
<li>Add iptables in your DAEMONS array in your /etc/rc.conf so that it is started each time.</li><br />
<br />
<li>Go to the client PC and set:<br />
:'''IP:''' 192.168.0.2<br />
:'''Netmask:''' 255.255.255.0<br />
:'''Gateway:''' 192.168.0.1<br />
:'''DNS:''' The same DNS as the first PC<br />
<br />
<pre>ifconfig local1 192.168.0.2 netmask 255.255.255.0<br />
ifconfig local1 up<br />
route add default gw 192.168.0.1 local1<br />
echo "nameserver <adr of nameserver>" >> /etc/resolv.conf<br />
</pre><br />
<br />
You can figure out the address of the nameserver by looking into the /etc/resolv.conf of PC1, if its Internet connection is already established. If you don't have a nameserver, you can use [https://code.google.com/speed/public-dns/ Google Public DNS] which is relatively fast. Its addresses are '''8.8.8.8''' and '''8.8.8.4'''.</li></ol><br />
<br />
{{Note| Of course, this also works with a mobile broadband connection (usually called ppp0 on PC1)}}<br />
<br />
That's it. The client PC should now have Internet.<br />
<br />
==See also==<br />
*[[Sharing ppp connection with wlan interface]]<br />
*[[Simple stateful firewall]]<br />
*[[Router]]<br />
*[[USB 3G Modem]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Internet_sharing&diff=169254Internet sharing2011-11-08T23:24:56Z<p>Sironitomas: Changes in iptables</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[fr:Partage de connexion]]<br />
[[es:Conexion a Internet compartida]]<br />
{{i18n|Internet_Share}}<br />
<br />
==Preface==<br />
Let's assume you have an Internet connection and you want to share it. There are two main ways to do that.<br />
<br />
<pre><br />
Internet pc1<br />
1. ----> |router| ---> |switch| --->-<<br />
pc2 ..etc<br />
<br />
Internet<br />
2. ------> |pc1 (router)| --> pc2..etc<br />
</pre><br />
<br />
==Instructions==<br />
I'll explain the second way (it is easier and requires one less machine).<br />
<ol><br />
<li>Install a second network card to the first PC.</li><br />
<br />
<li>Connect the two PCs using [http://en.wikipedia.org/wiki/Ethernet_crossover_cable crossover cable] or a [http://en.wikipedia.org/wiki/Network_switch switch]. If one of the two computers has a gigabit ethernet card, a regular ethernet cable should work.</li><br />
<br />
<li>Let's assume that the first card (with the internet) is called '''''internet0''''' and the other one (for the sharing) is called '''''local0'''''. (If those two keep switching at every boot read [http://wiki.archlinux.org/index.php/Udev#Mixed_Up_Devices.2C_Sound.2FNetwork_Cards_Changing_Order_Each_Boot this] ). The newtork interface of the client machine will be called '''''local1'''''.</li><br />
<br />
<li>Configure the second network card with:<br />
:'''IP:''' 192.168.0.1<br />
:'''Netmask:''' 255.255.255.0<br />
or enter in a console (as root)<br />
<pre>ifconfig local0 192.168.0.1 netmask 255.255.255.0<br />
ifconfig local0 up</pre></li><br />
<br />
<li>To make this permanent, install [[netcfg]] if you don't have it and set up a network profile in '''/etc/network.d''', drawing on the examples in '''/etc/network.d/examples'''. Or, put the above lines in '''/etc/rc.local'''.<br />
<br />
<li>Enable packet forwarding. To do so, write a "'''1'''" to '''/proc/sys/net/ipv4/ip_forward''' with:<br />
<pre>echo 1 > /proc/sys/net/ipv4/ip_forward</pre></li><br />
<br />
<li>Edit '''/etc/sysctl.conf''' and add these lines, which will make the previous change persistant after a reboot.<br />
<pre>net.ipv4.ip_forward=1<br />
net.ipv6.conf.default.forwarding=1<br />
net.ipv6.conf.all.forwarding=1</pre></li><br />
<br />
<li>Install iptables, enable NAT (needed to share Internet), save and start it.<br />
<pre>pacman -S iptables<br />
iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE<br />
rc.d save iptables<br />
rc.d start iptables</pre></li><br />
<br />
<li>Add iptables in your DAEMONS array in your /etc/rc.conf so that it is started each time.</li><br />
<br />
<li>Go to the client PC and set:<br />
:'''IP:''' 192.168.0.2<br />
:'''Netmask:''' 255.255.255.0<br />
:'''Gateway:''' 192.168.0.1<br />
:'''DNS:''' The same DNS as the first PC<br />
<br />
<pre>ifconfig local1 192.168.0.2 netmask 255.255.255.0<br />
ifconfig local1 up<br />
route add default gw 192.168.0.1 local1<br />
echo "nameserver <adr of nameserver>" >> /etc/resolv.conf<br />
</pre><br />
<br />
You can figure out the address of the nameserver by looking into the /etc/resolv.conf of PC1, if its internet connection is already established. If you don't have a nameserver, you can use [https://code.google.com/speed/public-dns/ Google Public DNS] which is relatively fast. Its addresses are '''8.8.8.8''' and '''8.8.8.4'''.</li></ol><br />
<br />
{{Note| Of course, this also works with a mobile broadband connection (usually called ppp0 on PC1)}}<br />
<br />
That's it. The client PC should now have Internet.<br />
<br />
==See also==<br />
*[[Sharing ppp connection with wlan interface]]<br />
*[[Simple stateful firewall]]<br />
*[[Router]]<br />
*[[USB 3G Modem]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Internet_sharing&diff=169164Internet sharing2011-11-08T04:47:29Z<p>Sironitomas: </p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[fr:Partage de connexion]]<br />
[[es:Conexion a Internet compartida]]<br />
{{i18n|Internet_Share}}<br />
<br />
==Preface==<br />
Let's assume you have an Internet connection and you want to share it. There are two main ways to do that.<br />
<br />
<pre><br />
Internet pc1<br />
1. ----> |router| ---> |switch| --->-<<br />
pc2 ..etc<br />
<br />
Internet<br />
2. ------> |pc1 (router)| --> pc2..etc<br />
</pre><br />
<br />
==Instructions==<br />
I'll explain the second way (it is easier and requires one less machine).<br />
<ol><br />
<li>Install a second network card to the first PC.</li><br />
<br />
<li>Connect the two PCs using [http://en.wikipedia.org/wiki/Ethernet_crossover_cable crossover cable] or a [http://en.wikipedia.org/wiki/Network_switch switch]. If one of the two computers has a gigabit ethernet card, a regular ethernet cable should work.</li><br />
<br />
<li>Let's assume that the first card (with the internet) is called '''''internet0''''' and the other one (for the sharing) is called '''''local0'''''. (If those two keep switching at every boot read [http://wiki.archlinux.org/index.php/Udev#Mixed_Up_Devices.2C_Sound.2FNetwork_Cards_Changing_Order_Each_Boot this] ). The newtork interface of the client machine will be called '''''local1'''''.</li><br />
<br />
<li>Configure the second network card with:<br />
:'''IP:''' 192.168.0.1<br />
:'''Netmask:''' 255.255.255.0<br />
or enter in a console (as root)<br />
<pre>ifconfig local0 192.168.0.1 netmask 255.255.255.0<br />
ifconfig local0 up</pre></li><br />
<br />
<li>To make this permanent, install [[netcfg]] if you don't have it and set up a network profile in '''/etc/network.d''', drawing on the examples in '''/etc/network.d/examples'''. Or, put the above lines in '''/etc/rc.local'''.<br />
<br />
<li>Enable packet forwarding. To do so, write a "'''1'''" to '''/proc/sys/net/ipv4/ip_forward''' with:<br />
<pre>echo 1 > /proc/sys/net/ipv4/ip_forward</pre></li><br />
<br />
<li>Then edit '''/etc/sysctl.conf''' and set '''net.ipv4.ip_forward=1'''. This will make that change persistant after a reboot.</li><br />
<br />
<li>Install iptables and enter this rule (because NAT is needed when sharing internet) and save iptables.<br />
<pre>pacman -S iptables<br />
iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE<br />
rc.d save iptables</pre></li><br />
<br />
<li>Edit '''/etc/sysctl.conf''' and add the lines<br />
<pre>net.ipv4.ip_forward=1<br />
net.ipv6.conf.default.forwarding=1<br />
net.ipv6.conf.all.forwarding=1</pre></li><br />
<br />
<li>Start iptables:<br />
<pre>rc.d start iptables</pre></li><br />
<br />
<li>Add iptables in your DAEMONS array in your /etc/rc.conf so that it is started each time.</li><br />
<br />
<li>Go to the client PC and set:<br />
:'''IP:''' 192.168.0.2<br />
:'''Netmask:''' 255.255.255.0<br />
:'''Gateway:''' 192.168.0.1<br />
:'''DNS:''' The same DNS as the first PC<br />
<br />
<pre>ifconfig local1 192.168.0.2 netmask 255.255.255.0<br />
ifconfig local1 up<br />
route add default gw 192.168.0.1 local1<br />
echo "nameserver <adr of nameserver>" >> /etc/resolv.conf<br />
</pre><br />
<br />
You can figure out the address of the nameserver by looking into the /etc/resolv.conf of PC1, if its internet connection is already established. If you don't have a nameserver, you can use [https://code.google.com/speed/public-dns/ Google Public DNS] which is relatively fast. Its addresses are '''8.8.8.8''' and '''8.8.8.4'''.</li></ol><br />
<br />
{{Note| Of course, this also works with a mobile broadband connection (usually called ppp0 on PC1)}}<br />
<br />
That's it. The client PC should now have Internet.<br />
<br />
==See also==<br />
*[[Sharing ppp connection with wlan interface]]<br />
*[[Simple stateful firewall]]<br />
*[[Router]]<br />
*[[USB 3G Modem]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Internet_sharing&diff=169163Internet sharing2011-11-08T04:43:47Z<p>Sironitomas: Changes on interface names, commands (rc.d), and some clean up</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[fr:Partage de connexion]]<br />
[[es:Conexion a Internet compartida]]<br />
{{i18n|Internet_Share}}<br />
<br />
==Preface==<br />
Let's assume you have an Internet connection and you want to share it. There are two main ways to do that.<br />
<br />
<pre><br />
Internet pc1<br />
1. ----> |router| ---> |switch| --->-<<br />
pc2 ..etc<br />
<br />
Internet<br />
2. ------> |pc1 (router)| --> pc2..etc<br />
</pre><br />
<br />
==Instructions==<br />
I'll explain the second way (it is easier and requires one less machine).<br />
<ol><br />
<li>Install a second network card to the first PC.</li><br />
<br />
<li>Connect the two PCs using [http://en.wikipedia.org/wiki/Ethernet_crossover_cable crossover cable] or a [http://en.wikipedia.org/wiki/Network_switch switch]. If one of the two computers has a gigabit ethernet card, a regular ethernet cable should work.</li><br />
<br />
<li>Let's assume that the first card (with the internet) is called '''''internet0''''' and the other one (for the sharing) is called '''''local0'''''. (If those two keep switching at every boot read [http://wiki.archlinux.org/index.php/Udev#Mixed_Up_Devices.2C_Sound.2FNetwork_Cards_Changing_Order_Each_Boot this] ). The newtork interface of the client machine will be called '''''local1'''''.</li><br />
<br />
<li>Configure the second network card with:<br />
:'''IP:''' 192.168.0.1<br />
:'''Netmask:''' 255.255.255.0<br />
or enter in a console (as root)<br />
<pre>ifconfig local0 192.168.0.1 netmask 255.255.255.0<br />
ifconfig local0 up</pre></li><br />
<br />
<li>To make this permanent, install [[netcfg]] if you don't have it and set up a network profile in '''/etc/network.d''', drawing on the examples in '''/etc/network.d/examples'''. Or, put the above lines in '''/etc/rc.local'''.<br />
<br />
<li>Enable packet forwarding. To do so, write a "'''1'''" to '''/proc/sys/net/ipv4/ip_forward''' with:<br />
<pre>echo 1 > /proc/sys/net/ipv4/ip_forward</pre></li><br />
<br />
<li>Then edit '''/etc/sysctl.conf''' and set '''net.ipv4.ip_forward=1'''. This will make that change persistant after a reboot.</li><br />
<br />
<li>Install iptables and enter this rule (because NAT is needed when sharing internet) and save iptables.<br />
<pre>pacman -S iptables<br />
iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE<br />
rc.d save iptables</pre></li><br />
<br />
<li>Edit '''/etc/sysctl.conf''' and add the lines<br />
<pre>net.ipv4.ip_forward=1<br />
net.ipv6.conf.default.forwarding=1<br />
net.ipv6.conf.all.forwarding=1</pre></li><br />
<br />
<li>Start iptables:<br />
<pre>rc.d start iptables</pre></li><br />
<br />
<li>Add iptables in your DAEMONS array in your /etc/rc.conf so that it is started each time.</li><br />
<br />
<li>Go to the client PC and set:<br />
:'''IP:''' 192.168.0.2<br />
:'''Netmask:''' 255.255.255.0<br />
:'''Gateway:''' 192.168.0.1<br />
:'''DNS:''' The same DNS as the first PC<br />
<br />
Proceed like this (internet0 is assumed to be your network interface on PC2 with which you are connected to PC1):<br />
<pre>ifconfig local1 192.168.0.2 netmask 255.255.255.0<br />
ifconfig local1 up<br />
route add default gw 192.168.0.1 local1<br />
echo "nameserver <adr of nameserver>" >> /etc/resolv.conf<br />
</pre><br />
<br />
You can figure out the address of the nameserver by looking into the /etc/resolv.conf of PC1, if its internet connection is already established. If you don't have a nameserver, you can use [https://code.google.com/speed/public-dns/ Google Public DNS] which is relatively fast. Its addresses are '''8.8.8.8''' and '''8.8.8.4'''.</li></ol><br />
<br />
{{Note| Of course, this also works with a mobile broadband connection (usually called ppp0 on PC1)}}<br />
<br />
That's it. The client PC should now have Internet.<br />
<br />
==See also==<br />
*[[Sharing ppp connection with wlan interface]]<br />
*[[Simple stateful firewall]]<br />
*[[Router]]<br />
*[[USB 3G Modem]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Network_configuration&diff=168426Network configuration2011-11-02T12:20:26Z<p>Sironitomas: /* Bonding or LAG */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:Getting and installing Arch (English)]]<br />
{{i18n|Configuring Network}}<br />
{{Article summary start}}<br />
{{Article summary text|A simple guide for setting up and troubleshooting network.}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Networking overview}}}}<br />
{{Article summary end}}<br />
<br />
==Check first==<br />
Many times, the basic installation procedure has created a working network configuration. To check if this is so, use the following command:<br />
{{command| ping -c 3 www.google.com|<nowiki><br />
PING www.l.google.com (74.125.224.146) 56(84) bytes of data.<br />
64 bytes from 74.125.224.146: icmp_req=1 ttl=50 time=437 ms<br />
64 bytes from 74.125.224.146: icmp_req=2 ttl=50 time=385 ms<br />
64 bytes from 74.125.224.146: icmp_req=3 ttl=50 time=298 ms<br />
<br />
--- www.l.google.com ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 1999ms<br />
rtt min/avg/max/mdev = 298.107/373.642/437.202/57.415 ms<br />
</nowiki>|prompt=$}}<br />
{{Tip| The {{codeline|-c 3}} options instruct {{codeline|ping}} to do so three times. See {{codeline|man ping}} for more information.}}<br />
<br />
If it works, then you may only wish to personalize your settings from the options below.<br />
<br />
==Set the hostname==<br />
A hostname is a unique name created to identify a machine on a network. With Arch Linux, a machine's hostname is set in {{Filename|/etc/[[rc.conf]]}} or until a restart using the ''hostname'' command.<br />
Hostnames are restricted to alphanumeric characters. The dash ({{Codeline|-}}) can be used but a hostname cannot start or end with it. Length is restricted to 63 characters.<br />
<br />
Edit {{Filename|/etc/rc.conf}} and set HOSTNAME (archlinux in this example):<br />
HOSTNAME="archlinux"<br />
<br />
After setting a hostname, it is also a good idea to include the same name in {{Filename|/etc/hosts}}. This will help processes that refer to the computer by its hostname to find its IP address.<br />
<br />
Edit {{Filename|/etc/hosts}} and add the same HOSTNAME you entered in {{Filename|/etc/rc.conf}}:<br />
127.0.0.1 archlinux.domain.org localhost.localdomain localhost archlinux<br />
<br />
To set the hostname temporarily (until the next reboot) use the {{codeline|hostname}} command as root:<br />
{{cli|# hostname archlinux}}<br />
<br />
==Load the device module==<br />
Udev should detect your network interface card (NIC) module and load it automatically at startup. If it does, skip this section. Otherwise, you will need to know which module is needed for your particular model:<br />
# hwdetect --show-net<br />
<br />
Once you know which module to use, you can load it with:<br />
# modprobe ''<modulename>''<br />
<br />
If [[udev]] is not detecting and loading the proper module automatically during bootup, you can add it into the {{Codeline|MODULES}} array in {{Filename|/etc/rc.conf}}, so you do not need to {{Codeline|modprobe}} it everytime you boot. For example, if {{Codeline|tg3}} is the network module:<br />
MODULES=(... tg3 snd-cmipci ...)<br />
<br />
Other common modules are 8139too for cards with the Realtek chipset or {{Codeline|sis900}} for SiS cards.<br />
<br />
==Configure IP==<br />
It is important to realize that you may have a dynamically assigned address using DHCP or an unchanging "static" address. (see [[Wikipedia:Dynamic Host Configuration Protocol|Wikipedia:DHCP]] for more information)<br />
{{Note|For motherboards that have integrated NICs, it is important to know which one is considered the primary NIC (e.g. ''eth0'') and which is considered the secondary NIC (e.g. eth1). Many configuration issues are caused by users incorrectly configuring ''eth0'' in their {{Filename|/etc/rc.conf}}, when in fact, they have their Ethernet cable plugged into ''eth1''.}}<br />
<br />
===For DHCP IP===<br />
For this option, you need the {{Pkg|dhcpcd}} package (already available on most installations). To make use of it, edit {{Filename|/etc/rc.conf}} like this:<br />
interface="eth0"<br />
address=<br />
netmask=<br />
gateway=<br />
<br />
Only the interface has to be defined, as leaving the other options blank will set network to DHCP.<br />
<br />
If you use DHCP and you do '''not''' want your DNS servers automatically assigned every time you start your network, be sure to add the following to the last section of {{filename|/etc/dhcpcd.conf}}:<br />
nohook resolv.conf<br />
<br />
Then add your own DNS nameserver to {{filename|/etc/resolv.conf}}.<br />
<br />
Make sure to test your new settings by stopping and starting the {{filename|/etc/rc.d/network}} daemon, as opposed to bringing down your interface and starting DHCP manually. To restart the network daemon:<br />
# /etc/rc.d/network restart<br />
<br />
You may use the {{Pkg|openresolv}} package if several different processes want to control {{Filename|/etc/resolv.conf}} (i.e. {{Pkg|dhcpcd}} and a VPN client). No additional configuration for {{Pkg|dhcpcd}} is needed to use {{Pkg|openresolv}}.<br />
<br />
{{Note|1=It is possible to have a static IP using {{Pkg|dhcpcd}}. Simply edit your {{filename|/etc/conf.d/dhcpcd}} file to look something like this (where x.x.x.x is your desired IP address):<br />
DHCPCD_ARGS="-q -s x.x.x.x"}}<br />
<br />
===For Static IP Addresses===<br />
There are various reasons why you may wish to assign static IP addresses on your network. For instance, one may gain a certain degree of predictability. Also, if you share your Internet connection from a Windows box without a router, be sure to use static IP addresses on both computers. Otherwise you will have LAN issues.<br />
<br />
You need:<br />
* Your static IP address,<br />
* The subnet mask,<br />
* The broadcast address,<br />
* Your gateway's IP address,<br />
* Your name servers' IP addresses,<br />
* Your domain name (unless a local LAN, in which case you can make it up).<br />
<br />
If you are running a private network, it is safe to use IP addresses in 192.168.*.* for your IP addresses, with a netmask of 255.255.255.0 and a broadcast address of 192.168.*.255. Unless your network has a router, the gateway IP address does not matter. Edit {{filename|/etc/rc.conf}} like this, substituting your own values for the IP address, netmask, broadcast, and gateway:<br />
interface=eth0<br />
address=192.168.0.2<br />
netmask=255.255.255.0<br />
gateway=192.168.22.1<br />
<br />
Edit your {{filename|/etc/resolv.conf}} like this, substituting your name servers' IP addresses and your local domain name:<br />
nameserver 61.23.173.5<br />
nameserver 61.95.849.8<br />
search example.com<br />
<br />
{{Note|Currently, you may include a maximum of 3 {{Codeline|nameserver}} lines.}}<br />
<br />
====Manual assignment====<br />
You can assign a static IP in console:<br />
# ip addr add <ip address>/<netmask> dev <interface><br />
For example:<br />
# ip addr add 192.168.1.2/24 dev eth0<br />
<br />
For more options, see: {{codeline|man ip}}<br />
<br />
Add your gateway like so:<br />
# ip route add default via <ip address><br />
(Substitute your own gateway's IP address)<br />
<br />
For example:<br />
# ip route add default via 192.168.1.1<br />
<br />
==Load configuration==<br />
To test your settings either reboot the computer, or as root:<br />
{{cli|# /etc/rc.d/network restart}}<br />
<br />
Try pinging your gateway, DNS server, ISP provider and other Internet sites, in that order, to detect any connection problems along the way, as in this example:<br />
{{cli|$ ping -c 3 www.google.com}}<br />
<br />
==Additional settings==<br />
<br />
===Enable/disable interface===<br />
You can activate or deactivate net interface:<br />
# ip link set <interface> up/down<br />
<br />
===Firewall===<br />
You can install and configure a [[Firewalls|firewall]] to feel more secure.<br />
<br />
===Wireless Setup===<br />
See the [[Wireless Setup]] article for more information.<br />
<br />
===Laptops, 'ifplugd'===<br />
You can install a daemon which will automatically configure your Ethernet device when a cable is plugged in and automatically unconfigure it if the cable is pulled. This is useful on laptops with onboard network adapters, since it will only configure the interface when a cable is really connected. Another use is when you just need to restart the network but do not want to restart the computer or do it from the shell.<br />
<br />
Installation is very simple since {{Package Official|ifplugd}} is in the [[Official Repositories]]:<br />
<br />
By default it is configured to work for the {{Codeline|eth0}} device. This and other settings like delays can be configured in {{Filename|/etc/ifplugd/ifplugd.conf}}.<br />
<br />
[[Daemon#Performing daemon actions manually|Start the ifplugd daemon]] and add {{Codeline|ifplugd}} to your [[Daemons#Starting on Boot|DAEMONS array]] so it starts automatically on boot.<br />
<br />
===Jumbo Frames===<br />
See the [[Jumbo Frames]] article for more information.<br />
<br />
===Bonding or LAG===<br />
You can install the {{Pkg|ifenslave}} package to bind two real Ethernet cables with one IP address. After installation, you will need to edit each of the following files:<br />
<br />
{{Filename|/etc/conf.d/bonding}}:<br />
bond_bond0="eth0 eth1"<br />
BOND_INTERFACES=(bond0)<br />
<br />
{{Filename|/etc/modprobe.d/modprobe.conf}}:<br />
{{Note|{{Pkg|module-init-tools}} > 3.8 package changes the location of the configuration file: {{Filename|/etc/modprobe.conf}} is no longer read, instead {{Filename|/etc/modprobe.d/modprobe.conf}} is used. [http://www.archlinux.org/news/450/ link]}}<br />
options bonding miimon=100<br />
<br />
{{Filename|/etc/rc.conf}}:<br />
MODULES=(... bonding ...)<br />
interface=bond0<br />
address=192.168.1.1<br />
netmask=255.255.255.0<br />
gateway=192.168.1.255<br />
<br />
To activate the new bonded ports, restart your network:<br />
# rc.d restart network<br />
<br />
===IP aliasing===<br />
{{Expansion}}<br />
If you want to use multiple IP addresses on an interface, you will have to use [[netcfg]] and its {{Codeline|POST_UP}} and {{Codeline|PRE_DOWN}} commands in your network profile to set up the additional IP addresses manually. See [https://bbs.archlinux.org/viewtopic.php?pid=951573#p951573 here] for details.<br />
<br />
====Example====<br />
You will need {{Package Official|netcfg}} from the [[Official Repositories]].<br />
<br />
Prepare configuration<br />
<br />
{{File<br />
|name=/etc/network.d/mynetwork<br />
|content=<nowiki><br />
<br />
# CONNECTION='ethernet'<br />
# DESCRIPTION='Five different addresses on the same NIC.'<br />
# INTERFACE='eth0'<br />
# IP='static'<br />
# ADDR='192.168.1.10'<br />
# GATEWAY='192.168.1.1'<br />
# DNS=('192.168.1.1')<br />
# DOMAIN=''<br />
# POST_UP='for i in 11 12 13 14 ; do ip addr add 192.168.1.$i/24 brd 192.168.1.255 dev eth0 ; done'<br />
# PRE_DOWN='for i in 11 12 13 14 ; do ip addr del 192.168.1.$i/24 dev eth0 ; done'<br />
<br />
</nowiki>}}<br />
<br />
{{File<br />
|name=/etc/rc.conf<br />
|content=<nowiki><br />
NETWORKS=(mynetwork)<br />
<br />
...<br />
<br />
DAEMONS=(... net-profiles ...)<br />
</nowiki>}}<br />
<br />
===Change MAC/hardware address===<br />
Changing your MAC address is not possible anymore via {{Filename|/etc/rc.conf}}. See [[MAC Address Spoofing]] for details.<br />
<br />
==Troubleshooting==<br />
<br />
=== DHCP fails at boot ===<br />
First, check all the steps that the computer normally executes at boot in order to find out which one failed. <br />
These steps are:<br />
# Detect the network device and load its driver. <br />
# Bring up the interface. <br />
# Call {{codeline|dhcp}}<br />
<br />
====Step 1====<br />
Check the "Ethernet controller" entry in the output of {{codeline|lspci -v}}.<br />
It should tell you which kernel module contains the driver of your network device. For example:<br />
{{command|lspci -v|<nowiki><br />
02:00.0 Ethernet controller: Attansic Technology Corp. L1 Gigabit Ethernet Adapter (rev b0)<br />
...<br />
Kernel driver in use: atl1<br />
Kernel modules: atl1<br />
</nowiki>|prompt=$}}<br />
Next, check the the driver was loaded via ''dmesg | grep <module name>''. For example:<br />
$ dmesg |grep atl1<br />
...<br />
atl1 0000:02:00.0: eth0 link is up 100 Mbps full duplex<br />
<br />
====Step 2====<br />
Check the output of {{codeline|dmesg}} for the interface associated with your network device and bring it up via (as root) <br />
{{cli|# ip link set <interface> up}}<br />
<br />
Check the result with {{codeline|ip addr show dev eth0}}. For example:<br />
{{command|ip addr show dev eth0|<nowiki><br />
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc vboxnetflt state UP qlen 1000<br />
[...]<br />
</nowiki>|prompt=$}}<br />
<br />
====Step 3====<br />
To be on the safe side, start by releasing the lease of your interface with {{codeline|dhcpcd --release}}, then try to get a lease with {{codeline|dhcpcd}}. Refer to {{codeline| man dhcpcd}} for more information.<br />
<br />
If all goes well, it will look like this:<br />
{{command|dhcpcd --release eth0|<nowiki><br />
dhcpcd: dhcpcd not running</nowiki>|prompt=#}}<br />
{{command|dhcpcd eth0|<nowiki><br />
dhcpcd: version 5.1.1 starting<br />
dhcpcd: eth0: broadcasting for a lease<br />
...<br />
dhcpcd: eth0: leased 192.168.1.70 for 86400 seconds<br />
</nowiki>|prompt=#}}<br />
<br />
And now {{codeline|ip addr show dev <interface>}} should show your inet address.<br />
<br />
Probably things will not work as described somewhere along these steps, or else the network would have started automatically at boot.<br />
<br />
If {{codeline|dhcp}} works using the steps above but not at boot, add the following to {{filename|/etc/rc.local}}:<br />
dhcpcd -k eth0 <br />
dhcpcd -nd eth0<br />
<br />
See http://bbs.archlinux.org/viewtopic.php?id=63940 for more information.<br />
<br />
For some people, the {{codeline|dhclient}} package (available in [extra]) works where {{codeline|dhcpcd}} fails.<br />
<br />
===Swapping computers on the cable modem===<br />
Most domestic cable ISPs (videotron for example) have the cable modem configured to recognise only one client PC, by the MAC address of its network interface. Once the cable modem has learnt the MAC address of the first PC or equipment that talks to it, it will not respond to another MAC address in any way. Thus if you swap one PC for another (or for a router), the new PC (or router) will not work with the cable modem, because the new PC (or router) has a different MAC address to the old one. To reset the cable modem so that it will recognise the new PC, you must power the cable modem off and on again. Once the cable modem has rebooted and gone fully online again (indicator lights settled down), reboot the newly connected PC so that it makes a DHCP request, or manually make it request a new DHCP lease.<br />
<br />
If this method does not work, you will need to clone the MAC address of the original machine. See also [[Configuring Network#Change MAC/hardware address|Change MAC/hardware address]].<br />
<br />
===The TCP window scaling issue===<br />
TCP packets contain a "window" value in their headers indicating how much data the other host may send in return. This value is represented with only 16 bits, hence the window size is at most 64Kb. TCP packets are cached for a while (they have to be reordered), and as memory is (or used to be) limited, one host could easily run out of it.<br />
<br />
Back in 1992, as more and more memory became available, [http://www.faqs.org/rfcs/rfc1323.html RFC 1323] was written to improve the situation: Window Scaling. The "window" value, provided in all packets, will be modified by a Scale Factor defined once, at the very beginning of the connection.<br />
<br />
That 8-bit Scale Factor allows the Window to be up to 32 times higher than the initial 64Kb.<br />
<br />
It appears that some broken routers and firewalls on the Internet are rewriting the Scale Factor to 0 which causes misunderstandings between hosts.<br />
<br />
The Linux kernel 2.6.17 introduced a new calculation scheme generating higher Scale Factors, virtually making the aftermaths of the broken routers and firewalls more visible. <br />
<br />
The resulting connection is at best very slow or broken.<br />
<br />
====How to diagnose the problem====<br />
First of all, lets make it clear: this problem is odd. In some cases, you will not be able to use TCP connections (HTTP, FTP, ...) at all and in others, you will be able to communicate with some hosts (very few).<br />
<br />
When you have this problem, the <code>dmesg</code>'s output is OK, logs are clean and <code>ip addr</code> will report normal status &mdash; and actually everything appears normal.<br />
<br />
If you cannot browse any website, but you can ping some random hosts, chances are great that you're experiencing this issue: ping uses ICMP and is not affected by TCP issues.<br />
<br />
You can try to use Wireshark. You might see successful UDP and ICMP communications but unsuccessful TCP communications (only to foreign hosts).<br />
<br />
====How to fix it (The bad way)====<br />
To fix it the bad way, you can change the tcp_rmem value, on which Scale Factor calculation is based. Although it should work for most hosts, it is not guaranteed, especially for very distant ones.<br />
<br />
echo "4096 87380 174760" > /proc/sys/net/ipv4/tcp_rmem<br />
<br />
====How to fix it (The good way)====<br />
Simply disable Window Scaling. Since Window Scaling is a nice TCP feature, it may be uncomfortable to disable it, especially if you cannot fix the broken router. There are several ways to disable Window Scaling, and it seems that the most bulletproof way (which will work with most kernels) is to add the following line to {{Filename|/etc/sysctl.conf}} (see also [[sysctl]])<br />
<br />
net.ipv4.tcp_window_scaling = 0<br />
<br />
====How to fix it (The best way)====<br />
This issue is caused by broken routers/firewalls, so lets change them. Some users have reported that the broken router was their very own DSL router.<br />
<br />
====More about it====<br />
This section is based on the LWN article [http://lwn.net/Articles/92727/ TCP window scaling and broken routers] and a Kernel Trap article: [http://kerneltrap.org/node/6723 Window Scaling on the Internet].<br />
<br />
There are also several relevant threads on the LKML.<br />
<br />
=== Interface names varying ===<br />
<br />
Your network cards are sometimes named differently between two reboot. Configuring your network connection is hard if you do not know if your card will be called {{Codeline|eth0}} or {{Codeline|eth1}}.<br />
<br />
It is possible to specify the module loading order in {{Filename|/etc/rc.conf}}, but of course this only works if the kernel does not include the drivers as built-in AND if different network cards are in use (i.e. rely on different drivers)<br />
# Always load 8139too before e100<br />
MODULES=(8139too e100)<br />
<br />
'''-OR-'''<br />
<br />
With {{Codeline|ifrename}}, see [[Rename network interfaces]]<br />
<br />
'''-OR-'''<br />
<br />
It is also possible to manually create udev rules that assign interface names based on the interface's MAC address.<br />
<br />
{{File|name=/etc/udev/rules.d/10-network.rules|content=<nowiki><br />
SUBSYSTEM=="net", ATTR{address}=="aa:bb:cc:dd:ee:ff", NAME="lan0"<br />
SUBSYSTEM=="net", ATTR{address}=="ff:ee:dd:cc:bb:aa", NAME="wlan0"<br />
</nowiki>}}<br />
<br />
For more information or the original udev guide on the last two methods, see the [[Udev]] wiki entry on this issue.<br />
<br />
[[Udev#Mixed Up Devices, Sound/Network Cards Changing Order Each Boot]]<br />
<br />
===Realtek no link / WOL issue===<br />
Users with Realtek 8168 8169 8101 8111(C) based NICs (cards / and on-board) may notice an issue where the NIC seems to be disabled on boot and has no Link light. This can usually be found on a dual boot system where Windows is also installed. It seems that using the offical Realtek drivers (dated anything after May 2007) under Windows is the cause. These newer drivers disable the Wake-On-LAN feature by disabling the NIC at Windows shutdown time, where it will remain disabled until the next time Windows boots. You will be able to notice if this issue is affecting you if the Link light remains off until Windows boots up; during Windows shutdown the Link light will switch off. Normal operation should be that the link light is always on as long as the system is on, even during POST. This issue will also affect other operative systems without newer drivers (eg. Live CDs). Here are a few fixes for this issue:<br />
<br />
====Method 1 - Rollback/change Windows driver====<br />
You can roll back your Windows NIC driver to the Microsoft provided one (if available), or roll back/install an official Realtek driver pre-dating May 2007 (may be on the CD that came with your hardware).<br />
<br />
====Method 2 - Enable WOL in Windows driver====<br />
Probably the best and the fastest fix is to change this setting in the Windows driver. This way it should be fixed system-wide and not only under Arch (eg. live CDs, other operative systems). In Windows, under Device Manager, find your Realtek network adapter and double-click it. Under the Advanced tab, change "Wake-on-LAN after shutdown" to Enable.<br />
In Windows XP (example)<br />
Right click my computer<br />
--> Hardware tab<br />
--> Device Manager<br />
--> Network Adapters<br />
--> "double click" Realtek ...<br />
--> Advanced tab<br />
--> Wake-On-Lan After Shutdown<br />
--> Enable<br />
<br />
{{Note|Newer Realtek Windows drivers (tested with ''Realtek 8111/8169 LAN Driver v5.708.1030.2008'', dated 2009/01/22, available from GIGABYTE) may refer to this option slightly differently, like ''Shutdown Wake-On-LAN --> Enable''. It seems that switching it to {{Codeline|Disable}} has no effect (you will notice the Link light still turns off upon Windows shutdown). One rather dirty workaround is to boot to Windows and just reset the system (perform an ungraceful restart/shutdown) thus not giving the Windows driver a chance to disable LAN. The Link light will remain on and the LAN adapter will remain accessible after POST - that is until you boot back to Windows and shut it down properly again.}}<br />
<br />
====Method 3 - Newer Realtek Linux driver====<br />
Any newer driver for these Realtek cards can be found for Linux on the realtek site. (untested but believed to also solve the problem).<br />
<br />
====Method 4 - Enable ''LAN Boot ROM'' in BIOS/CMOS====<br />
It appears that setting ''Integrated Peripherals --> Onboard LAN Boot ROM --> Enabled'' in BIOS/CMOS reactivates the Realtek LAN chip on system boot-up, despite the Windows driver disabling it on OS shutdown.<br />
<br><small>This was tested successfully multiple times with GIGABYTE system board GA-G31M-ES2L with BIOS version F8 released on 2009/02/05. YMMV.</small><br />
<br />
===DLink G604T/DLink G502T DNS issue===<br />
Users with a DLink G604T/DLink G502T router, using DHCP and have firmware v2.00+ (typically users with AUS firmware) may have issues with certain programs not resolving the DNS. One of these programs are unfortunatley pacman. The problem is basically the router in certain situations is not sending the DNS properly to DHCP, which causes programs to try and connect to servers with an IP of 1.0.0.0 and fail with a connection timed out error<br />
<br />
====How to diagnose the problem====<br />
The best way to diagnose the problem is to use Firefox/Konqueror/links/seamonkey and to enable wget for pacman. If this is a fresh install of Arch Linux, then you may want to consider installing {{Codeline|links}} through the live CD.<br />
<br />
Firstly, enable wget for pacman (since it gives us info about pacman when it is downloading packages)<br />
Open {{Filename|/etc/pacman.conf}} with your favourite editor and uncomment the following line (remove the # if it is there)<br />
<br />
XferCommand=/usr/bin/wget --passive-ftp -c -O %o %u<br />
<br />
While you are editing {{Filename|/etc/pacman.conf}}, check the default mirror that pacman uses to download packages.<br />
<br />
Now open up the default mirror in an Internet browser to see if the mirror actually works. If it does work, then do {{Codeline|pacman -Syy}} (otherwise pick another working mirror and set it to the pacman default). If you get something similar to the following (notice the 1.0.0.0),<br />
<nowiki>ftp://mirror.pacific.net.au/linux/archlinux/extra/os/i686/extra.db.tar.gz</nowiki> <br />
<nowiki>=> `/var/lib/pacman/community.db.tar.gz.part'</nowiki><br />
Resolving mirror.pacific.net.au... 1.0.0.0<br />
then you most likely have this problem. The 1.0.0.0 means it is unable to resolve DNS, so we must add it to {{Filename|/etc/resolv.conf}}.<br />
<br />
====How to fix it====<br />
Basically what we need to do is to manually add the DNS servers to our {{Filename|/etc/resolv.conf}} file. The problem is that DHCP automatically deletes and replaces this file on boot, so we need to edit {{Filename|/etc/conf.d/dhcpcd}} and change the flags to stop DHCP from doing this.<br />
<br />
When you open {{Filename|/etc/conf.d/dhcpcd}}, you should see something close to the following:<br />
DHCPCD_ARGS="-t 30 -h $HOSTNAME"<br />
Add the -R flag to the arguments, e.g.<br />
DHCPCD_ARGS="-R -t 30 -h $HOSTNAME"<br />
<br />
{{Note|1=If you are using {{Pkg|dhcpcd}} >= 4.0.2, the {{Codeline|-R}} flag has been deprecated. Please see the [[#For DHCP IP]] section for information on how to use a custom {{Filename|/etc/resolv.conf}} file.}}<br />
<br />
Save and close the file; now open {{Filename|/etc/resolv.conf}}. You should see a single nameserver (most likely 10.1.1.1). This is the gateway to your router, which we need to connect to in order to get the DNS servers of your ISP. Paste the IP address into your browser and log in to your router. Go to the DNS section, and you should see an IP address in the Primary DNS Server field; copy it and paste it as a nameserver ABOVE the current gateway one.<br />
<br />
E.g. a {{Filename|/etc/resolv.conf}} should look something along the lines of<br />
nameserver 10.1.1.1<br />
<br />
If my primary DNS server is 211.29.132.12, then change {{Filename|/etc/resolv.conf}} to<br />
nameserver 211.29.132.12<br />
nameserver 10.1.1.1<br />
<br />
Now restart the network daemon by doing {{Codeline|/etc/rc.d/network restart}} and do {{Codeline|pacman -Syy}}. If it syncs correctly with the server, then the problem is solved.<br />
<br />
====More about it====<br />
This is the whirlpool forum (Australian ISP community) which talks about and gives the same solution to the problem<br />
http://forums.whirlpool.net.au/forum-replies-archive.cfm/461625.html<br />
<br />
===Get an IP from the wrong DHCP in linked (by VPN) router cases===<br />
In my case, I have a network where two routers are tied together through VPN. I have one router at my home, and one at a completely different place in the world. In some rare cases, it it appears that the router that is connected to me by VPN is assigning me an IP address. I do not know a way to prevent that process, but I do know a way to fix it. On a console, as root, try this:<br />
dhcpcd -k<br />
dhcpcd<br />
The first line releases your IP and the next line requests a new one. I had to run those two commands three times till my issue was fixed, so do not expect it to work after just one try. If that also fails, you might need to disconnect the VPN connection and try it again with the commands above.<br />
<br />
This even works when NetworkManager is installed.<br />
<br />
===Realtek 8111E loses lots of packets/dmesg is flooded with link messages===<br />
This issue currently plagues rev6 of the 8111. To check if you have this chip, check the output of the following:<br />
lspci | grep 8111<br />
<br />
If you see a line like the following:<br />
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 06)<br />
and dmesg has a bunch of this:<br />
r8169 0000:03:00.0: eth0: link up<br />
you are using a bad r8169 driver. To fix this, install the {{Package AUR|r8168}} package from the [[AUR]], [[Kernel_modules#Blacklisting|blacklist]] the r8169 kernel module, and reboot in order to fix the issue.<br />
<br />
Supposedly there is a fix for this in Linux 3.0.<br />
<br />
Source: http://forums.gentoo.org/viewtopic-t-881217-start-0.html<br />
<br />
==Related==<br />
[[Samba]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Install_Arch_from_network_via_PXE&diff=150468Install Arch from network via PXE2011-08-01T22:58:53Z<p>Sironitomas: /* Preparing dnsmasq */</p>
<hr />
<div>[[Category: Getting and installing Arch (English)]]<br />
{{i18n|Install_Arch_from_network_via_PXE}}<br />
[[fr:Install PXE]]<br />
{{merge|Archiso_as_pxe_server}}<br />
<br />
= Network booting =<br />
<br />
Did your tiny laptop come without a CDROM drive, and doesn't allow you to boot from a usb drive? Fear not, you can boot using PXE.<br />
<br />
PXE is short for Preboot eXecution Environment and is a piece of software that usually resides deep within the guts of the BIOS to allow booting over the network interface. In order to boot into PXE check your BIOS' boot options. It's common to use the Ethernet port. <br />
<br />
==How it works==<br />
<br />
Booting with PXE roughly works as follows:<br />
* a client (the one you want to install to) boots into the evironment and asks continously for a DHCP lease (or IP if you will).<br />
* a DHCP server leases an IP to the client.<br />
* then a tftp (which is a lot like regular ftp) server delivers the files to boot to the target. <br />
<br />
after that the client boots. Once booted it is rather safe to kill the connection if necessary (e.g. to install from the net instead of the image served by tftp). <br />
<br />
== Requisites ==<br />
<br />
You need at least the following:<br />
* a server capable of running DHCPD<br />
* a server capable of running (a)tftpd<br />
* the [ftp://ftp.archlinux.org/iso/archboot/latest/ archboot installation iso] (the official images can not be used for this)<br />
<br />
The DHCP and tftp server can be the same computer if you only have one.<br />
<br />
Be sure to have the ports to the client (or target) open. When in doubt consider disabling iptables or any firewall that might be active. <br />
<br />
Also be sure that the interface (ethX usually) is up and active.<br />
<br />
ifconfig eth0 up<br />
ifconfig eth0 192.168.0.2<br />
<br />
If you want to boot without a router between the server and the client you have to manually set an IP for ethX and a route.<br />
<br />
route add default gw 192.168.0.1<br />
<br />
a nameserver needs also to be added. <br />
<br />
echo nameserver 192.168.0.1 >> /etc/resolv.conf<br />
<br />
If a router is between the server and the client disabling DHCP on the router might be necessary, else you should be able to ignore these steps.<br />
<br />
=Method 1=<br />
<br />
This one is a bit easier since dnsmasq already has a tftp server builtin. <br />
Install dnsmasq on your server:<br />
<br />
pacman -S dnsmasq<br />
<br />
== Preparing dnsmasq ==<br />
<br />
Edit the configuration file for dnsmasq in:<br />
<br />
/etc/dnsmasq.conf<br />
<br />
The configuration file comments are rather verbose and should be self-explanatory. You should at least enable the following settings:<br />
<br />
dhcp-range=192.168.0.50,192.168.0.150,12h<br />
dhcp-boot=pxelinux.0<br />
enable-tftp<br />
tftp-root=/vat/tftpboot<br />
<br />
As for the necessary files to be able to boot follow the instructions as given at "Preparing tfptd".<br />
Now run dnsmasq.<br />
<br />
rc.d start dnsmasq<br />
<br />
=Method 2=<br />
<br />
Install the necessary programs on the existing Arch Linux computer which will act as the server for the installation on your client:<br />
<br />
pacman -S tftp-hpa dhcp<br />
<br />
== Preparing dhcpd ==<br />
<br />
Replace the default /etc/dhcpd.conf with the following (adjust to your network environment):<br />
<br />
# /etc/dhcpd.conf<br />
option domain-name-servers 208.67.222.222, 208.67.220.220;<br />
default-lease-time 86400;<br />
max-lease-time 604800;<br />
authoritative;<br />
subnet 192.168.0.0 netmask 255.255.255.0 {<br />
range 192.168.0.10 192.168.0.49;<br />
filename "pxelinux.0"; # the PXELinux boot agent<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.0.255;<br />
option routers 192.168.0.1;<br />
}<br />
<br />
Dhcpd will not run without ipv6. If you have disabled ipv6, reload the module:<br />
<br />
modprobe ipv6<br />
<br />
Be sure to static the LAN IP to the same subnet as '''option routers''' IP to get the DHCP server to start:<br />
ifconfig eth0 192.168.0.1 255.255.255.0<br />
<br />
== Preparing tftpd ==<br />
<br />
Mount archboot.iso and copy the content of the folder boot to /var/tftpboot/:<br />
<br />
mount -o loop,ro archboot.iso /mnt/iso<br />
cp -a /mnt/iso/boot/ /var/tftpboot/<br />
<br />
Move contents of folder isolinux to tftpboot root:<br />
<br />
mv /var/tftpboot/boot/isolinux/* /var/tftpboot/<br />
rmdir /var/tftpboot/boot/isolinux<br />
<br />
Create pxelinux configuration:<br />
<br />
mkdir /var/tftpboot/pxelinux.cfg<br />
mv /var/tftpboot/isolinux.cfg /var/tftpboot/pxelinux.cfg/default<br />
<br />
Your Arch Linux network installer is now ready.<br />
<br />
= Starting the Install =<br />
<br />
Now make sure the dhcpd and tftpd daemons are running on the server.<br />
# /etc/rc.d/tftpd start<br />
# /etc/rc.d/dhcpd start<br />
<br />
Boot your destination machine over PXE (usually something like F12 (on Dells) or F11 (on Supermicro's), or enable it in the BIOS).<br />
<br />
When you get the PXEBoot prompt, type 'arch' or hit return to start the installer. The install should now progress the same as if you booted from CD. You can continue installation by following the [[Official Arch Linux Install Guide]] or [[Beginners Guide]].<br />
<br />
That's all!</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Install_Arch_from_network_via_PXE&diff=150467Install Arch from network via PXE2011-08-01T22:57:17Z<p>Sironitomas: /* Preparing tftpd */</p>
<hr />
<div>[[Category: Getting and installing Arch (English)]]<br />
{{i18n|Install_Arch_from_network_via_PXE}}<br />
[[fr:Install PXE]]<br />
{{merge|Archiso_as_pxe_server}}<br />
<br />
= Network booting =<br />
<br />
Did your tiny laptop come without a CDROM drive, and doesn't allow you to boot from a usb drive? Fear not, you can boot using PXE.<br />
<br />
PXE is short for Preboot eXecution Environment and is a piece of software that usually resides deep within the guts of the BIOS to allow booting over the network interface. In order to boot into PXE check your BIOS' boot options. It's common to use the Ethernet port. <br />
<br />
==How it works==<br />
<br />
Booting with PXE roughly works as follows:<br />
* a client (the one you want to install to) boots into the evironment and asks continously for a DHCP lease (or IP if you will).<br />
* a DHCP server leases an IP to the client.<br />
* then a tftp (which is a lot like regular ftp) server delivers the files to boot to the target. <br />
<br />
after that the client boots. Once booted it is rather safe to kill the connection if necessary (e.g. to install from the net instead of the image served by tftp). <br />
<br />
== Requisites ==<br />
<br />
You need at least the following:<br />
* a server capable of running DHCPD<br />
* a server capable of running (a)tftpd<br />
* the [ftp://ftp.archlinux.org/iso/archboot/latest/ archboot installation iso] (the official images can not be used for this)<br />
<br />
The DHCP and tftp server can be the same computer if you only have one.<br />
<br />
Be sure to have the ports to the client (or target) open. When in doubt consider disabling iptables or any firewall that might be active. <br />
<br />
Also be sure that the interface (ethX usually) is up and active.<br />
<br />
ifconfig eth0 up<br />
ifconfig eth0 192.168.0.2<br />
<br />
If you want to boot without a router between the server and the client you have to manually set an IP for ethX and a route.<br />
<br />
route add default gw 192.168.0.1<br />
<br />
a nameserver needs also to be added. <br />
<br />
echo nameserver 192.168.0.1 >> /etc/resolv.conf<br />
<br />
If a router is between the server and the client disabling DHCP on the router might be necessary, else you should be able to ignore these steps.<br />
<br />
=Method 1=<br />
<br />
This one is a bit easier since dnsmasq already has a tftp server builtin. <br />
Install dnsmasq on your server:<br />
<br />
pacman -S dnsmasq<br />
<br />
== Preparing dnsmasq ==<br />
<br />
Edit the configuration file for dnsmasq in:<br />
<br />
/etc/dnsmasq.conf<br />
<br />
The configuration file comments are rather verbose and should be self-explanatory. You should at least enable the following settings:<br />
<br />
dhcp-range=192.168.0.50,192.168.0.150,12h<br />
dhcp-boot=pxelinux.0<br />
enable-tftp<br />
tftp-root=/my/path/to/the/boot/files<br />
<br />
As for the necessary files to be able to boot follow the instructions as given at "Preparing tfptd".<br />
Now run dnsmasq.<br />
<br />
dnsmasq -d<br />
<br />
=Method 2=<br />
<br />
Install the necessary programs on the existing Arch Linux computer which will act as the server for the installation on your client:<br />
<br />
pacman -S tftp-hpa dhcp<br />
<br />
== Preparing dhcpd ==<br />
<br />
Replace the default /etc/dhcpd.conf with the following (adjust to your network environment):<br />
<br />
# /etc/dhcpd.conf<br />
option domain-name-servers 208.67.222.222, 208.67.220.220;<br />
default-lease-time 86400;<br />
max-lease-time 604800;<br />
authoritative;<br />
subnet 192.168.0.0 netmask 255.255.255.0 {<br />
range 192.168.0.10 192.168.0.49;<br />
filename "pxelinux.0"; # the PXELinux boot agent<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.0.255;<br />
option routers 192.168.0.1;<br />
}<br />
<br />
Dhcpd will not run without ipv6. If you have disabled ipv6, reload the module:<br />
<br />
modprobe ipv6<br />
<br />
Be sure to static the LAN IP to the same subnet as '''option routers''' IP to get the DHCP server to start:<br />
ifconfig eth0 192.168.0.1 255.255.255.0<br />
<br />
== Preparing tftpd ==<br />
<br />
Mount archboot.iso and copy the content of the folder boot to /var/tftpboot/:<br />
<br />
mount -o loop,ro archboot.iso /mnt/iso<br />
cp -a /mnt/iso/boot/ /var/tftpboot/<br />
<br />
Move contents of folder isolinux to tftpboot root:<br />
<br />
mv /var/tftpboot/boot/isolinux/* /var/tftpboot/<br />
rmdir /var/tftpboot/boot/isolinux<br />
<br />
Create pxelinux configuration:<br />
<br />
mkdir /var/tftpboot/pxelinux.cfg<br />
mv /var/tftpboot/isolinux.cfg /var/tftpboot/pxelinux.cfg/default<br />
<br />
Your Arch Linux network installer is now ready.<br />
<br />
= Starting the Install =<br />
<br />
Now make sure the dhcpd and tftpd daemons are running on the server.<br />
# /etc/rc.d/tftpd start<br />
# /etc/rc.d/dhcpd start<br />
<br />
Boot your destination machine over PXE (usually something like F12 (on Dells) or F11 (on Supermicro's), or enable it in the BIOS).<br />
<br />
When you get the PXEBoot prompt, type 'arch' or hit return to start the installer. The install should now progress the same as if you booted from CD. You can continue installation by following the [[Official Arch Linux Install Guide]] or [[Beginners Guide]].<br />
<br />
That's all!</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Privoxy&diff=148441Privoxy2011-07-06T16:16:53Z<p>Sironitomas: /* Usage */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|This article will explain how to install and configure Privoxy alongside the [[Tor]] network.}}<br />
{{Article summary heading|Required software}}<br />
{{Article summary link|Tor|https://www.torproject.org/download/download.html.en}}<br />
{{Article summary link|Privoxy|http://www.privoxy.org/}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Tor}}<br />
{{Article summary wiki|Polipo}}<br />
{{Article summary end}}<br />
<br />
There might be some situations where you want to be completely anonymous while using Internet. One way to go about this is using Tor and Privoxy.<br />
<br />
==Introduction==<br />
'''Privoxy''' is a filtering proxy for the HTTP protocol, frequently used in combination with [[Tor]]. Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups, etc. It supports both stand-alone systems and multi-user networks.<br />
<br />
Using privoxy is necessary because browsers leak your DNS requests when they use a SOCKS proxy directly, which is bad for your anonymity.<br />
<br />
==Installation and setup==<br />
As root install the <tt>privoxy</tt> package from <tt>[community]</tt>.<br />
# pacman -S privoxy<br />
<br />
First, go to http://whatsmyip.net/ and write down your IP address. Edit your /etc/privoxy/config file and add this line at the end (be sure to include the . at the end and preserve the file owner and group as "privoxy"):<br />
forward-socks5 / localhost:9050 .<br />
Make sure your /etc/hosts is correctly set up. By default in Arch, "hostname" has the name "localhost" but you need to make sure it has the name you used in your /etc/rc.conf.<br />
<br />
E.g. in the Arch default rc.conf HOSTNAME="myhost", so in /etc/hosts it should be:<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 myhost.localdomain myhost localhost<br />
<br />
If you plan to make privoxy available to other computers in your network, just add:<br />
listen-address [SERVER-IP]:[PORT]<br />
<br />
For example:<br />
<br />
listen-address 192.168.1.1:8118<br />
<br />
==Ad Blocking with Privoxy==<br />
Using an ad blocking extension in a web browser can increase page load time. Additionally, extensions like AdBlock Plus are not supported by all browsers. A useful alternative is to install system-wide ad blocking by setting a proxy address in your preferred browser.<br />
<br />
Once Privoxy has been installed download and install an AdBlock Plus easylist importer from AUR (i.e. [http://aur.archlinux.org/packages.php?ID=43861 privoxy-blocklist]). You can use a wrapper like yaourt or clyde to do so.<br />
<br />
==Usage==<br />
Start the Privoxy service:<br />
# rc.d start privoxy<br />
<br />
Add privoxy to your <tt>DAEMONS</tt> array in {{filename|/etc/rc.conf}}<br />
DAEMONS=(... privoxy ...)<br />
<br />
Configure your program to use Privoxy. The default address is:<br />
localhost:8118<br />
<br />
For Firefox, go to:<br />
Preferences > Advanced > Network > Settings<br />
<br />
For Chromium you can use:<br />
<br />
$ chromium --proxy-server="localhost:8118"<br />
<br />
==Troubleshooting==<br />
If errors appear when accessing /var/log/privoxy/, user can add the following after '/bin/bash' in /etc/rc.d/privoxy and then restart privoxy.<br />
if [ ! -d /var/log/privoxy ] then<br />
mkdir /var/log/privoxy<br />
touch /var/log/privoxy/errorfile<br />
touch /var/log/privoxy/logfile<br />
chown -R privoxy:adm /var/log/privoxy<br />
fi<br />
<br />
==External Links==<br />
* [http://www.privoxy.org/ Office Website]<br />
* [http://thestegemans.com/archives/2011/06/03/blocking_ads_on_arch_linux_with_privoxy/ Blocking ads with Privoxy] by Mike Stegeman</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Privoxy&diff=148440Privoxy2011-07-06T16:15:11Z<p>Sironitomas: /* Usage */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|This article will explain how to install and configure Privoxy alongside the [[Tor]] network.}}<br />
{{Article summary heading|Required software}}<br />
{{Article summary link|Tor|https://www.torproject.org/download/download.html.en}}<br />
{{Article summary link|Privoxy|http://www.privoxy.org/}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Tor}}<br />
{{Article summary wiki|Polipo}}<br />
{{Article summary end}}<br />
<br />
There might be some situations where you want to be completely anonymous while using Internet. One way to go about this is using Tor and Privoxy.<br />
<br />
==Introduction==<br />
'''Privoxy''' is a filtering proxy for the HTTP protocol, frequently used in combination with [[Tor]]. Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups, etc. It supports both stand-alone systems and multi-user networks.<br />
<br />
Using privoxy is necessary because browsers leak your DNS requests when they use a SOCKS proxy directly, which is bad for your anonymity.<br />
<br />
==Installation and setup==<br />
As root install the <tt>privoxy</tt> package from <tt>[community]</tt>.<br />
# pacman -S privoxy<br />
<br />
First, go to http://whatsmyip.net/ and write down your IP address. Edit your /etc/privoxy/config file and add this line at the end (be sure to include the . at the end and preserve the file owner and group as "privoxy"):<br />
forward-socks5 / localhost:9050 .<br />
Make sure your /etc/hosts is correctly set up. By default in Arch, "hostname" has the name "localhost" but you need to make sure it has the name you used in your /etc/rc.conf.<br />
<br />
E.g. in the Arch default rc.conf HOSTNAME="myhost", so in /etc/hosts it should be:<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 myhost.localdomain myhost localhost<br />
<br />
If you plan to make privoxy available to other computers in your network, just add:<br />
listen-address [SERVER-IP]:[PORT]<br />
<br />
For example:<br />
<br />
listen-address 192.168.1.1:8118<br />
<br />
==Ad Blocking with Privoxy==<br />
Using an ad blocking extension in a web browser can increase page load time. Additionally, extensions like AdBlock Plus are not supported by all browsers. A useful alternative is to install system-wide ad blocking by setting a proxy address in your preferred browser.<br />
<br />
Once Privoxy has been installed download and install an AdBlock Plus easylist importer from AUR (i.e. [http://aur.archlinux.org/packages.php?ID=43861 privoxy-blocklist]). You can use a wrapper like yaourt or clyde to do so.<br />
<br />
==Usage==<br />
Start the Privoxy service:<br />
# rc.d start privoxy<br />
<br />
Add privoxy to your <tt>DAEMONS</tt> array in {{filename|/etc/rc.conf}}<br />
DAEMONS=(... privoxy ...)<br />
<br />
Configure your program to use privoxy. The default address is:<br />
localhost:8118<br />
<br />
For Firefox, go to:<br />
Preferences > Advanced > Network > Settings<br />
<br />
For Chromium you can use:<br />
<br />
$ chromium --proxy-server="localhost:8118"<br />
<br />
==Troubleshooting==<br />
If errors appear when accessing /var/log/privoxy/, user can add the following after '/bin/bash' in /etc/rc.d/privoxy and then restart privoxy.<br />
if [ ! -d /var/log/privoxy ] then<br />
mkdir /var/log/privoxy<br />
touch /var/log/privoxy/errorfile<br />
touch /var/log/privoxy/logfile<br />
chown -R privoxy:adm /var/log/privoxy<br />
fi<br />
<br />
==External Links==<br />
* [http://www.privoxy.org/ Office Website]<br />
* [http://thestegemans.com/archives/2011/06/03/blocking_ads_on_arch_linux_with_privoxy/ Blocking ads with Privoxy] by Mike Stegeman</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Privoxy&diff=148439Privoxy2011-07-06T16:09:28Z<p>Sironitomas: /* Troubleshooting */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|This article will explain how to install and configure Privoxy alongside the [[Tor]] network.}}<br />
{{Article summary heading|Required software}}<br />
{{Article summary link|Tor|https://www.torproject.org/download/download.html.en}}<br />
{{Article summary link|Privoxy|http://www.privoxy.org/}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Tor}}<br />
{{Article summary wiki|Polipo}}<br />
{{Article summary end}}<br />
<br />
There might be some situations where you want to be completely anonymous while using Internet. One way to go about this is using Tor and Privoxy.<br />
<br />
==Introduction==<br />
'''Privoxy''' is a filtering proxy for the HTTP protocol, frequently used in combination with [[Tor]]. Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups, etc. It supports both stand-alone systems and multi-user networks.<br />
<br />
Using privoxy is necessary because browsers leak your DNS requests when they use a SOCKS proxy directly, which is bad for your anonymity.<br />
<br />
==Installation and setup==<br />
As root install the <tt>privoxy</tt> package from <tt>[community]</tt>.<br />
# pacman -S privoxy<br />
<br />
First, go to http://whatsmyip.net/ and write down your IP address. Edit your /etc/privoxy/config file and add this line at the end (be sure to include the . at the end and preserve the file owner and group as "privoxy"):<br />
forward-socks5 / localhost:9050 .<br />
Make sure your /etc/hosts is correctly set up. By default in Arch, "hostname" has the name "localhost" but you need to make sure it has the name you used in your /etc/rc.conf.<br />
<br />
E.g. in the Arch default rc.conf HOSTNAME="myhost", so in /etc/hosts it should be:<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 myhost.localdomain myhost localhost<br />
<br />
If you plan to make privoxy available to other computers in your network, just add:<br />
listen-address [SERVER-IP]:[PORT]<br />
<br />
For example:<br />
<br />
listen-address 192.168.1.1:8118<br />
<br />
==Ad Blocking with Privoxy==<br />
Using an ad blocking extension in a web browser can increase page load time. Additionally, extensions like AdBlock Plus are not supported by all browsers. A useful alternative is to install system-wide ad blocking by setting a proxy address in your preferred browser.<br />
<br />
Once Privoxy has been installed download and install an AdBlock Plus easylist importer from AUR (i.e. [http://aur.archlinux.org/packages.php?ID=43861 privoxy-blocklist]). You can use a wrapper like yaourt or clyde to do so.<br />
<br />
==Usage==<br />
Start the Privoxy service as root:<br />
# /etc/rc.d/privoxy start<br />
<br />
Add privoxy to your <tt>DAEMONS</tt> array in {{filename|/etc/rc.conf}}<br />
DAEMONS=(... privoxy ...)<br />
<br />
Configure your program to connect to privoxy. The default address is:<br />
127.0.0.1:8118<br />
<br />
==Troubleshooting==<br />
If errors appear when accessing /var/log/privoxy/, user can add the following after '/bin/bash' in /etc/rc.d/privoxy and then restart privoxy.<br />
if [ ! -d /var/log/privoxy ] then<br />
mkdir /var/log/privoxy<br />
touch /var/log/privoxy/errorfile<br />
touch /var/log/privoxy/logfile<br />
chown -R privoxy:adm /var/log/privoxy<br />
fi<br />
<br />
==External Links==<br />
* [http://www.privoxy.org/ Office Website]<br />
* [http://thestegemans.com/archives/2011/06/03/blocking_ads_on_arch_linux_with_privoxy/ Blocking ads with Privoxy] by Mike Stegeman</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Privoxy&diff=148406Privoxy2011-07-06T03:16:54Z<p>Sironitomas: /* Installation and setup */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|This article will explain how to install and configure Privoxy alongside the [[Tor]] network.}}<br />
{{Article summary heading|Required software}}<br />
{{Article summary link|Tor|https://www.torproject.org/download/download.html.en}}<br />
{{Article summary link|Privoxy|http://www.privoxy.org/}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Tor}}<br />
{{Article summary wiki|Polipo}}<br />
{{Article summary end}}<br />
<br />
There might be some situations where you want to be completely anonymous while using Internet. One way to go about this is using Tor and Privoxy.<br />
<br />
==Introduction==<br />
'''Privoxy''' is a filtering proxy for the HTTP protocol, frequently used in combination with [[Tor]]. Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups, etc. It supports both stand-alone systems and multi-user networks.<br />
<br />
Using privoxy is necessary because browsers leak your DNS requests when they use a SOCKS proxy directly, which is bad for your anonymity.<br />
<br />
==Installation and setup==<br />
As root install the <tt>privoxy</tt> package from <tt>[community]</tt>.<br />
# pacman -S privoxy<br />
<br />
First, go to http://whatsmyip.net/ and write down your IP address. Edit your /etc/privoxy/config file and add this line at the end (be sure to include the . at the end and preserve the file owner and group as "privoxy"):<br />
forward-socks5 / localhost:9050 .<br />
Make sure your /etc/hosts is correctly set up. By default in Arch, "hostname" has the name "localhost" but you need to make sure it has the name you used in your /etc/rc.conf.<br />
<br />
E.g. in the Arch default rc.conf HOSTNAME="myhost", so in /etc/hosts it should be:<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 myhost.localdomain myhost localhost<br />
<br />
If you plan to make privoxy available to other computers in your network, just add:<br />
listen-address [SERVER-IP]:[PORT]<br />
<br />
For example:<br />
<br />
listen-address 192.168.1.1:8118<br />
<br />
==Ad Blocking with Privoxy==<br />
Using an ad blocking extension in a web browser can increase page load time. Additionally, extensions like AdBlock Plus are not supported by all browsers. A useful alternative is to install system-wide ad blocking by setting a proxy address in your preferred browser.<br />
<br />
Once Privoxy has been installed download and install an AdBlock Plus easylist importer from AUR (i.e. [http://aur.archlinux.org/packages.php?ID=43861 privoxy-blocklist]). You can use a wrapper like yaourt or clyde to do so.<br />
<br />
==Usage==<br />
Start the Privoxy service as root:<br />
# /etc/rc.d/privoxy start<br />
<br />
Add privoxy to your <tt>DAEMONS</tt> array in {{filename|/etc/rc.conf}}<br />
DAEMONS=(... privoxy ...)<br />
<br />
Configure your program to connect to privoxy. The default address is:<br />
127.0.0.1:8118<br />
<br />
==Troubleshooting==<br />
If errors appear when accessing /var/log/privoxy/, user can add the following after '/bin/bash' in /etc/rc.d/privoxy and then restart privoxy.<br />
if [ ! -d /var/log/privoxy ]<br />
then<br />
mkdir /var/log/privoxy<br />
touch /var/log/privoxy/errorfile<br />
touch /var/log/privoxy/logfile<br />
chown -R privoxy:adm /var/log/privoxy<br />
fi<br />
<br />
==External Links==<br />
* [http://www.privoxy.org/ Office Website]<br />
* [http://thestegemans.com/archives/2011/06/03/blocking_ads_on_arch_linux_with_privoxy/ Blocking ads with Privoxy] by Mike Stegeman</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Privoxy&diff=148405Privoxy2011-07-06T03:12:41Z<p>Sironitomas: /* Installation and setup */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|This article will explain how to install and configure Privoxy alongside the [[Tor]] network.}}<br />
{{Article summary heading|Required software}}<br />
{{Article summary link|Tor|https://www.torproject.org/download/download.html.en}}<br />
{{Article summary link|Privoxy|http://www.privoxy.org/}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Tor}}<br />
{{Article summary wiki|Polipo}}<br />
{{Article summary end}}<br />
<br />
There might be some situations where you want to be completely anonymous while using Internet. One way to go about this is using Tor and Privoxy.<br />
<br />
==Introduction==<br />
'''Privoxy''' is a filtering proxy for the HTTP protocol, frequently used in combination with [[Tor]]. Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups, etc. It supports both stand-alone systems and multi-user networks.<br />
<br />
Using privoxy is necessary because browsers leak your DNS requests when they use a SOCKS proxy directly, which is bad for your anonymity.<br />
<br />
==Installation and setup==<br />
As root install the <tt>privoxy</tt> package from <tt>[community]</tt>.<br />
# pacman -S privoxy<br />
<br />
First, go to http://whatsmyip.net/ and write down your IP address. Edit your /etc/privoxy/config file and add this line at the end (be sure to include the . at the end and preserve the file owner and group as "privoxy"):<br />
forward-socks5 / localhost:9050 .<br />
Make sure your /etc/hosts is correctly set up. By default in Arch, "hostname" has the name "localhost" but you need to make sure it has the name you used in your /etc/rc.conf.<br />
<br />
E.g. in the Arch default rc.conf HOSTNAME="myhost", so in /etc/hosts it should be:<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 myhost.localdomain myhost localhost<br />
<br />
===Ad Blocking with Privoxy===<br />
Using an ad blocking extension in a web browser can increase page load time. Additionally, extensions like AdBlock Plus are not supported by all browsers. A useful alternative is to install system-wide ad blocking by setting a proxy address in your preferred browser.<br />
<br />
Once Privoxy has been installed download and install an AdBlock Plus easylist importer from AUR (i.e. [http://aur.archlinux.org/packages.php?ID=43861 privoxy-blocklist]). You can use a wrapper like yaourt or clyde to do so.<br />
<br />
==Usage==<br />
Start the Privoxy service as root:<br />
# /etc/rc.d/privoxy start<br />
<br />
Add privoxy to your <tt>DAEMONS</tt> array in {{filename|/etc/rc.conf}}<br />
DAEMONS=(... privoxy ...)<br />
<br />
Configure your program to connect to privoxy. The default address is:<br />
127.0.0.1:8118<br />
<br />
==Troubleshooting==<br />
If errors appear when accessing /var/log/privoxy/, user can add the following after '/bin/bash' in /etc/rc.d/privoxy and then restart privoxy.<br />
if [ ! -d /var/log/privoxy ]<br />
then<br />
mkdir /var/log/privoxy<br />
touch /var/log/privoxy/errorfile<br />
touch /var/log/privoxy/logfile<br />
chown -R privoxy:adm /var/log/privoxy<br />
fi<br />
<br />
==External Links==<br />
* [http://www.privoxy.org/ Office Website]<br />
* [http://thestegemans.com/archives/2011/06/03/blocking_ads_on_arch_linux_with_privoxy/ Blocking ads with Privoxy] by Mike Stegeman</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Privoxy&diff=148404Privoxy2011-07-06T03:06:33Z<p>Sironitomas: /* Ad Blocking with Privoxy */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|This article will explain how to install and configure Privoxy alongside the [[Tor]] network.}}<br />
{{Article summary heading|Required software}}<br />
{{Article summary link|Tor|https://www.torproject.org/download/download.html.en}}<br />
{{Article summary link|Privoxy|http://www.privoxy.org/}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Tor}}<br />
{{Article summary wiki|Polipo}}<br />
{{Article summary end}}<br />
<br />
There might be some situations where you want to be completely anonymous while using Internet. One way to go about this is using Tor and Privoxy.<br />
<br />
==Introduction==<br />
'''Privoxy''' is a filtering proxy for the HTTP protocol, frequently used in combination with [[Tor]]. Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups, etc. It supports both stand-alone systems and multi-user networks.<br />
<br />
Using privoxy is necessary because browsers leak your DNS requests when they use a SOCKS proxy directly, which is bad for your anonymity.<br />
<br />
==Installation and setup==<br />
As root install the <tt>privoxy</tt> package from <tt>[community]</tt>.<br />
# pacman -S privoxy<br />
<br />
First, go to http://whatsmyip.net/ and write down your IP address. Edit your /etc/privoxy/config file and add this line at the end (be sure to include the . at the end and preserve the file owner and group as "privoxy"):<br />
forward-socks4a / localhost:9050 .<br />
Make sure your /etc/hosts is correctly set up. By default in Arch, "hostname" has the name "localhost" but you need to make sure it has the name you used in your /etc/rc.conf.<br />
<br />
E.g. in the Arch default rc.conf HOSTNAME="myhost", so in /etc/hosts it should be:<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 myhost.localdomain myhost localhost<br />
<br />
===Ad Blocking with Privoxy===<br />
Using an ad blocking extension in a web browser can increase page load time. Additionally, extensions like AdBlock Plus are not supported by all browsers. A useful alternative is to install system-wide ad blocking by setting a proxy address in your preferred browser.<br />
<br />
Once Privoxy has been installed download and install an AdBlock Plus easylist importer from AUR (i.e. [http://aur.archlinux.org/packages.php?ID=43861 privoxy-blocklist]). You can use a wrapper like yaourt or clyde to do so.<br />
<br />
==Usage==<br />
Start the Privoxy service as root:<br />
# /etc/rc.d/privoxy start<br />
<br />
Add privoxy to your <tt>DAEMONS</tt> array in {{filename|/etc/rc.conf}}<br />
DAEMONS=(... privoxy ...)<br />
<br />
Configure your program to connect to privoxy. The default address is:<br />
127.0.0.1:8118<br />
<br />
==Troubleshooting==<br />
If errors appear when accessing /var/log/privoxy/, user can add the following after '/bin/bash' in /etc/rc.d/privoxy and then restart privoxy.<br />
if [ ! -d /var/log/privoxy ]<br />
then<br />
mkdir /var/log/privoxy<br />
touch /var/log/privoxy/errorfile<br />
touch /var/log/privoxy/logfile<br />
chown -R privoxy:adm /var/log/privoxy<br />
fi<br />
<br />
==External Links==<br />
* [http://www.privoxy.org/ Office Website]<br />
* [http://thestegemans.com/archives/2011/06/03/blocking_ads_on_arch_linux_with_privoxy/ Blocking ads with Privoxy] by Mike Stegeman</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Privoxy&diff=148403Privoxy2011-07-06T03:02:40Z<p>Sironitomas: /* Usage */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|This article will explain how to install and configure Privoxy alongside the [[Tor]] network.}}<br />
{{Article summary heading|Required software}}<br />
{{Article summary link|Tor|https://www.torproject.org/download/download.html.en}}<br />
{{Article summary link|Privoxy|http://www.privoxy.org/}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Tor}}<br />
{{Article summary wiki|Polipo}}<br />
{{Article summary end}}<br />
<br />
There might be some situations where you want to be completely anonymous while using Internet. One way to go about this is using Tor and Privoxy.<br />
<br />
==Introduction==<br />
'''Privoxy''' is a filtering proxy for the HTTP protocol, frequently used in combination with [[Tor]]. Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups, etc. It supports both stand-alone systems and multi-user networks.<br />
<br />
Using privoxy is necessary because browsers leak your DNS requests when they use a SOCKS proxy directly, which is bad for your anonymity.<br />
<br />
==Installation and setup==<br />
As root install the <tt>privoxy</tt> package from <tt>[community]</tt>.<br />
# pacman -S privoxy<br />
<br />
First, go to http://whatsmyip.net/ and write down your IP address. Edit your /etc/privoxy/config file and add this line at the end (be sure to include the . at the end and preserve the file owner and group as "privoxy"):<br />
forward-socks4a / localhost:9050 .<br />
Make sure your /etc/hosts is correctly set up. By default in Arch, "hostname" has the name "localhost" but you need to make sure it has the name you used in your /etc/rc.conf.<br />
<br />
E.g. in the Arch default rc.conf HOSTNAME="myhost", so in /etc/hosts it should be:<br />
#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 myhost.localdomain myhost localhost<br />
<br />
===Ad Blocking with Privoxy===<br />
Using an ad blocking extension in a web browser can increase page load time. Additionally, extensions like AdBlock Plus are not supported by all browsers. A useful alternative is to install system-wide ad blocking by setting a proxy address in your preferred browser.<br />
<br />
Once Privoxy has been installed download and install an AdBlock Plus easylist importer from AUR (i.e. [http://aur.archlinux.org/packages.php?ID=43861 privoxy-blocklist]).<br />
$ yaourt -S privoxy-blocklist<br />
<br />
==Usage==<br />
Start the Privoxy service as root:<br />
# /etc/rc.d/privoxy start<br />
<br />
Add privoxy to your <tt>DAEMONS</tt> array in {{filename|/etc/rc.conf}}<br />
DAEMONS=(... privoxy ...)<br />
<br />
Configure your program to connect to privoxy. The default address is:<br />
127.0.0.1:8118<br />
<br />
==Troubleshooting==<br />
If errors appear when accessing /var/log/privoxy/, user can add the following after '/bin/bash' in /etc/rc.d/privoxy and then restart privoxy.<br />
if [ ! -d /var/log/privoxy ]<br />
then<br />
mkdir /var/log/privoxy<br />
touch /var/log/privoxy/errorfile<br />
touch /var/log/privoxy/logfile<br />
chown -R privoxy:adm /var/log/privoxy<br />
fi<br />
<br />
==External Links==<br />
* [http://www.privoxy.org/ Office Website]<br />
* [http://thestegemans.com/archives/2011/06/03/blocking_ads_on_arch_linux_with_privoxy/ Blocking ads with Privoxy] by Mike Stegeman</div>Sironitomashttps://wiki.archlinux.org/index.php?title=GNOME&diff=147931GNOME2011-07-01T23:34:39Z<p>Sironitomas: /* Hide titlebar when maximized */</p>
<hr />
<div>{{i18n|GNOME 3|GNOME}}<br />
[[fr:gnome3]]<br />
<br />
[[Category:Desktop environments (English)]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|GNOME 3 provides a modern desktop, rewritten from scratch, using the GTK3+ toolkit.}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Graphical user interface overview}}}}<br />
{{Article summary end}}<br />
<br />
The GNOME Project started from scratch and created a completely new desktop called GNOME 3. It has:<br />
<br />
* A modern visual theme and font<br />
* An activities view providing access to all windows and applications<br />
* A subtle notifications system and a discrete top panel<br />
* Integration with an improved Nautilus file manager<br />
* Integrated desktop services for messaging<br />
* A new system settings application <br />
* An activities search feature<br />
* Features such as snap-like window tiling<br />
<br />
Additional explanations are found on the [http://www.gnome3.org/ official GNOME3 website.]<br />
<br />
== Introduction ==<br />
<br />
GNOME 3 has ''two'' interfaces: '''GNOME Shell,''' the new standard layout; and '''fallback mode.''' Gnome-session automatically detects when your computer is incapable of running Gnome Shell and starts fallback mode when appropriate. <br />
<br />
'''Fallback mode''' is similar to GNOME 2. (Fallback mode uses gnome-panel/Metacity instead of gnome-shell/Mutter.)<br />
<br />
When you are on fallback mode you can still replace GNOME's default window manager with your preferred one.<br />
<br />
== Upgrade from GNOME 2 ==<br />
<br />
{{Warning|Upgrading to GNOME 3 from a GNOME 2 session might cause a system crash.}}<br />
<br />
It is recommended that you run the update command from a TTY session or from another Desktop Environment / Window Manager.<br />
<br />
# pacman -Syu <br />
<br />
After this update you have installed GNOME 3.x with ''fallback mode'' only. To install the new GNOME shell:<br />
<br />
# pacman -S gnome-shell<br />
<br />
== Install GNOME 3 to a new system ==<br />
<br />
GNOME 3 is in the [extra] repository. Install it by running the following commands:<br />
<br />
# pacman -Syu # First update the existing system<br />
# pacman -S gnome # Install GNOME 3<br />
# pacman -S gnome-extra # Install additional GNOME applications<br />
<br />
=== Daemon and module used by GNOME ===<br />
<br />
The GNOME desktop requires '''DBUS''' daemon and '''FUSE''' kernel module. <br />
<br />
Ensure that dbus is added to your DAEMONS array so it starts automatically on boot.<br />
<br />
: {{File|/etc/rc.conf|content=<nowiki>... previous lines ...<br />
<br />
DAEMONS=(... dbus ...)<br />
<br />
... more lines ...</nowiki>}}<br />
<br />
<br />
'''GVFS''' allows the mounting of virtual file systems to be used by other applications, including the file manager Nautilus. An example of a VFS is a file system used over FTP or SMB. The GVFS is implemented using '''FUSE''', a user space kernel module.<br />
<br />
To manually load the FUSE kernel module:<br />
<br />
# modprobe fuse<br />
<br />
Add '''FUSE''' to your MODULES array in '''{{Filename|/etc/rc.conf}}''' so it loads during system boot.<br />
<br />
: {{File|/etc/rc.conf|content=<nowiki>... previous lines ...<br />
<br />
MODULES=(</nowiki>'''fuse'''<nowiki>)<br />
<br />
... more lines ...</nowiki>}}<br />
<br />
=== Running GNOME ===<br />
<br />
For the best desktop integration, login manager '''GDM''' is recommended. Other login managers (a.k.a. display managers) such as SLiM can be used in place of GDM. Check out the [[Display_Manager|wiki article on display managers]] to learn how desktop environments are started.<br />
<br />
The login manager is a limited process entrusted with duties that impact the system. The [[PolicyKit|PolicyKit wiki article]] addresses the topic of system‑wide access control.<br />
<br />
# pacman -S gdm<br />
<br />
If you prefer to start GNOME manually from the console, add the following line to your '''{{Filename|~/.xinitrc}}''' file. Making sure it is the last line and the only command starting with ''exec.'' See the [[xinitrc| xinitrc wiki article.]]<br />
<br />
exec ck-launch-session gnome-session<br />
<br />
After the ''exec'' command is placed, GNOME is launched by typing '''startx'''.<br />
<br />
== Using the shell ==<br />
<br />
=== GNOME cheat sheet ===<br />
<br />
The GNOME web site has a helpful [https://live.gnome.org/GnomeShell/CheatSheet GNOME Shell cheat sheet] explaining task switching, keyboard use, window control, the panel, overview mode, and more.<br />
<br />
=== Restarting the shell ===<br />
<br />
After appearance tweaks you are often asked to restart the GNOME shell. You could log out and log back in, but it is simpler and faster to issue the following keyboard command. Restart the shell by pressing {{Keypress|Alt}} + {{Keypress|F2}} then {{Keypress|r}} then {{Keypress|Enter}}<br />
<br />
=== Shell crashes ===<br />
<br />
Certain tweaks and/or repeated shell restarts may cause the shell to crash when a restart is attempted. In this case, you are informed about the crash and then forced to log out. Some shell changes, such as switching between '''''GNOME Shell''''' and '''''fallback mode,''''' cannot be accomplished via a keyboard restart; you must log out and log back in to effect them.<br />
<br />
It is common sense — but worth repeating — that valuable documents should be saved (and perhaps closed) before attempting a shell restart. It is not strictly necessary; opened windows and documents remain intact after a shell restart in most cases.<br />
<br />
== Customizing GNOME appearance ==<br />
<br />
=== Overall appearance ===<br />
<br />
GNOME 3 may have "started from scratch", but like most large software projects it is assembled from parts dating to different eras. There is not '''one''' all-encompassing configuration tool. The new ''Systems Settings'' tool is a big improvement over previous control panels. ''System Settings'' is well-organized, but you may find yourself wishing for more control over system appearance.<br />
<br />
You may be familiar with existing configuration tools: some of these still work; many will not. Some settings are not readily exposed for you to change. Indubitably, many settings will migrate to newer tools and/or become exposed as time progresses and the wider community embraces and extends the latest GNOME desktop.<br />
<br />
==== Gsettings ====<br />
<br />
A new command-line tool '''gsettings''' stores data in a binary format, unlike previous tools using XML text. A tutorial [http://blog.fpmurphy.com/2011/03/customizing-the-gnome-3-shell.html Customizing the GNOME Shell] explores the power of gsettings.<br />
<br />
==== GNOME tweak tool ====<br />
<br />
This graphical tool customizes fonts, themes, titlebar buttons and other settings. <br />
<br />
# pacman -S gnome-tweak-tool<br />
<br />
Version 3.0.3 only works when gnome-shell is installed (OK if forced to fallback mode). [https://bugzilla.gnome.org/show_bug.cgi?id=647132 Bugzilla bug report here.]<br />
<br />
==== GTK3 theme via settings.ini ====<br />
<br />
Like '''{{Filename|~/.gtkrc-2.0}}''' with GTK2+, it is possible to set a GTK3 theme via '''{{Filename|${XDG_CONFIG_HOME}/gtk-3.0/settings.ini}}'''.<br />
<br />
Variable <tt>$XDG_CONFIG_HOME</tt> is usually set to '''~/.config'''<br />
<br />
''Adwaita,'' the default GNOME 3 theme, is a part of '''gnome-themes-standard.''' Additional GTK3 themes are found at [http://browse.deviantart.com/customization/skins/linuxutil/desktopenv/gnome/gtk3/ Deviantart web site.] For example:<br />
<br />
[Settings]<br />
gtk-theme-name = Adwaita<br />
gtk-fallback-icon-theme = gnome<br />
# next option is applicable only if selected theme supports it<br />
gtk-application-prefer-dark-theme = true<br />
# set font name and dimension<br />
gtk-font-name = Sans 10<br />
<br />
It is necessary to [[#Restarting_the_shell|restart GNOME shell]] for settings to be applied. More GTK options are found at [http://developer.gnome.org/gtk3/3.0/GtkSettings.html#GtkSettings.properties GNOME developer documentation.]<br />
<br />
==== Icon theme ====<br />
<br />
Using gnome-tweak-tool v. 3.0.3 and later, you can place any icon theme you wish to use inside '''{{Filename|~/.icons}}'''.<br />
<br />
Usefully, GNOME 3 is compatible with GNOME 2 icon themes, which means you're not stuck with the default icons. To install a new set of icons, copy your desired icon theme's directory to '''{{Filename|~/.icons}}'''. As an example:<br />
<br />
$ cp -R /home/user/Desktop/my_icon_theme ~/.icons<br />
<br />
The new theme ''my_icon_theme'' is now selectable using '''gnome-tweak-tool''' under '''''interface.'''''<br />
<br />
Alternatively, you may textually select your icon theme with no need for gnome-tweak-tool. Add the GTK icon theme name to '''{{Filename|${XDG_CONFIG_HOME}/gtk-3.0/settings.ini}}'''.<br />
<br />
: {{file|name=${XDG_CONFIG_HOME}/gtk-3.0/settings.ini|content=<nowiki>... previous lines ...<br />
<br />
gtk-icon-theme-name = my_new_icon_theme</nowiki>}}<br />
<br />
=== Nautilus ===<br />
<br />
==== Removing folders from the places sidebar ====<br />
<br />
The displayed folders are specified in {{Filename|~/.config/user-dirs.dirs}} and can be altered with any editor. An execution of {{codeline|xdg-user-dirs-update}} will change them again, thus it may be advisable to set the file permissions to read-only.<br />
<br />
==== Always show text-entry location ====<br />
<br />
The standard Nautilus toolbar shows a button bar interface for path navigation. To enter path locations using the ''keyboard'' you must expose the location text-entry field. This is done by pressing {{Keypress|Ctrl}} + {{Keypress|L}}<br />
<br />
To make the location text-entry field always present, use gsettings as shown. Note: after changing this setting you will not be able to expose the button bar. Only when the setting is '''false''' can both forms of location navigation be employed.<br />
<br />
gsettings set org.gnome.nautilus.preferences always-use-location-entry true<br />
<br />
=== GNOME panel ===<br />
<br />
==== Hide accessibility icon ====<br />
<br />
<!-- Comment: Deactivate WHAT as a startup service? I did not see a relevant a11y entry in my startup. --><br />
<br />
Deactivate it as startup-service. Refer to section: [[#Automatic_program_launch_upon_login|Automatic program launch upon login]]<br />
<br />
Create a folder named '''{{Filename|noa11y.icon@panel.ui}}''' in '''{{Filename|$HOME/.local/share/gnome-shell/extensions}}''' Create two files in this folder.<br />
<br />
The first file is '''{{Filename|extension.js}}'''<br />
<br />
const Panel = imports.ui.panel;<br />
<br />
function main() {<br />
Panel.STANDARD_TRAY_ICON_SHELL_IMPLEMENTATION['a11y'] = ''''''';<br />
}<br />
The second file is '''{{Filename|metadata.json}}'''<br />
{<br />
"shell-version": ["3.0"],<br />
"uuid": "noa11y.icon@panel.ui",<br />
"name": "na11y",<br />
"description": "Turn off the ally icon in the panel"<br />
}<br />
<br />
[[#Restarting_the_shell|Restart the GNOME shell.]] The accessibility icon should be hidden. If this extension ceases to work in the future, adjust the shell version number in '''{{Filename|metadata.json.}}'''<br />
<br />
Alternatively, you may disable the accessibility icon system-wide. Edit '''{{Filename|/usr/share/gnome-shell/js/ui/panel.js}}''' Locate the following line and comment it out or delete it. Afterward restart the shell.<br />
<br />
'a11y': imports.ui.status.accessibility.ATIndicator,<br />
<br />
==== Hide bluetooth icon ====<br />
<br />
Deactivate it as startup-service. Refer to section [[#Automatic_program_launch_upon_login|Automatic program launch upon login]]<br />
<br />
Create a folder named '''{{Filename|nobluetooth.icon@panel.ui}}''' in '''{{Filename|$HOME/.local/share/gnome-shell/extensions}}'''. In this folder create two files.<br />
<br />
The first file is '''{{Filename|extension.js}}'''<br />
const Panel = imports.ui.panel;<br />
<br />
function main() {<br />
Panel.STANDARD_TRAY_ICON_SHELL_IMPLEMENTATION['bluetooth'] = ''''''';<br />
}<br />
<br />
The second file is '''{{Filename|metadata.json}}'''<br />
{<br />
"shell-version": ["3.0"],<br />
"uuid": "nobluetooth.icon@panel.ui",<br />
"name": "nbluetooth",<br />
"description": "Turn off the bluetooth icon in the panel"<br />
}<br />
<br />
[[#Restarting_the_shell|Restart the GNOME shell.]] The icon should be hidden. If this extension ceases to work in the future, adjust the shell version number in '''{{Filename|metadata.json.}}'''<br />
<br />
==== Show battery icon ====<br />
<br />
To show the battery tray icon, install gnome-power-manager.<br />
<br />
# pacman -S gnome-power-manager<br />
<br />
==== Disable "Suspend" in the status menu ====<br />
<br />
A quick way to do it system-wide is to change line 153 of '''{{Filename|/usr/share/gnome-shell/js/ui/statusMenu.js}}'''<br />
<br />
// this._haveSuspend = this._upClient.get_can_suspend(); // Comment this line out.<br />
this._haveSuspend = false; // Use this line instead.<br />
<br />
=== Titlebar ===<br />
<br />
==== Reduce titlebar height ====<br />
<br />
# sed -i '/title_vertical_pad/s|value="[0-9]\{1,2\}"|value="0"|g' /usr/share/themes/Adwaita/metacity-1/metacity-theme-3.xml<br />
<br />
[[#Restarting_the_shell|Restart the GNOME shell.]] This changes vertical padding from 14 to 0, giving windows a sleeker look.<br />
<br />
To restore the original values:<br />
<br />
sudo pacman -S gnome-themes-standard<br />
<br />
==== Hide titlebar when maximized ====<br />
<br />
# sed -i -r 's|(<frame_geometry name="max")|\1 has_title="false"|' /usr/share/themes/Adwaita/metacity-1/metacity-theme-3.xml<br />
<br />
[[#Restarting_the_shell|Restart the GNOME shell.]] After this tweak, you may find it difficult to un-maximize a window when there is no titlebar to grab.<br />
<br />
With suitable keybindings, you should be able to use {{Keypress|Alt}} + {{Keypress|F5}}, {{Keypress|Alt}} + {{Keypress|F10}} or {{Keypress|Alt}} + {{Keypress|Space}} to remedy the situation.<br />
<br />
To prevent '''{{filename|metacity-theme-3.xml}}''' from being overwritten each time package "gnome-themes-standard" is upgraded, add its name to '''{{Filename|/etc/pacman.conf}}''' with <tt>NoUpgrade</tt>.<br />
<br />
: {{File|/etc/pacman.conf|content=<nowiki>... previous lines ...<br />
<br />
# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup<br />
# IgnorePkg =<br />
# IgnoreGroup =<br />
<br />
NoUpgrade = usr/share/themes/Adwaita/metacity-1/metacity-theme-3.xml # Do not add a leading slash to the path<br />
<br />
... more lines ...</nowiki>}}<br />
<br />
To restore original Adwaita theme values:<br />
<br />
# pacman -S gnome-themes-standard<br />
<br />
=== Login screen ===<br />
<br />
To modify characteristics of the login screen (GDM, the GNOME display manager) the following lines can be executed. The first command opens a bash session with the credentials of user "gdm".<br />
<br />
# su - gdm -s /bin/bash<br />
$ dbus-launch<br />
<br />
The second command prints DBUS_SESSION_BUS_ADDRESS and DBUS_SESSION_BUS_PID. We must export these variables.<br />
<br />
$ export DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-Jb433gMQHS,guid=fc14d4bf3d000e38276a5a2200000d38<br />
$ export DBUS_SESSION_BUS_PID=4283<br />
<br />
<div style="margin: 1em 3em;"><br />
To avoid copying and pasting, you may use the script '''{{Filename|prep-gdm-vars}}''' to export the variables. The other scripts assist in setting up the GDM wallpaper. Place these files in a suitable location. Make them executable using chmod. An example of running these scripts appears below.<br />
<br />
{{File|name=/usr/local/prep-gdm-vars|content=<nowiki># This script must be run using '.' or 'source'<br />
`dbus-launch | sed "s/^/export /"`</nowiki>}}<br />
<br />
{{File|name=/usr/local/show-avail-gdm-bkgd|content=<nowiki>#!/bin/bash<br />
# Usage: show-avail-gdm-bkgd [folder]<br />
# Specify any folder within /usr/share/backgrounds.<br />
# If you omit the folder, you'll be shown available choices.<br />
file_part="/usr/share/backgrounds/"<br />
if ! [ $1 ]; then<br />
echo -en \\n Please specify one of these directories:\\n\\n\\040<br />
ls $file_part; echo; exit 1; fi<br />
ls ${file_part}/$1<br />
</nowiki>}}<br />
<br />
{{File|name=/usr/local/revise-gdm-bkgd|content=<nowiki>#!/bin/bash<br />
# Usage: revise-gdm-bkgd gnome/filename.jpg<br />
# Specify any file path within /usr/share/backgrounds.<br />
org_part="org.gnome.desktop.background picture-uri"<br />
file_full="/usr/share/backgrounds/${file_part}$1"<br />
# Trap when argument is: missing, a mere directory, a bad filename.<br />
if ( ! [ $1 ] || [ -d $file_full ] ); then<br />
echo -en \\n Specify a file. Use this example:<br />
echo -e \ \ revise-gdm-bkgd \ gnome/TwoWings.jpg\\n; exit 1; fi<br />
if ! [ -r $file_full ]; then<br />
echo -e \\n Specifed file does not exist or is not readable.\\n; exit 2; fi<br />
GSETTINGS_BACKEND=dconf gsettings set $org_part "file://${file_full}"<br />
</nowiki>}}<br />
</div><br />
<br />
Check to see if dconf-service is running and if not, start it like this<br />
<br />
$ /usr/lib/dconf/dconf-service &<br />
<br />
==== Login background image ====<br />
<br />
Once session variables have been exported as explained above, you may issue commands to retrieve or set items used by GDM. The following commands retrieve or set the file name used for GDM's wallpaper.<br />
<pre style="overflow:auto;"><br />
$ GSETTINGS_BACKEND=dconf gsettings get org.gnome.desktop.background picture-uri<br />
$ GSETTINGS_BACKEND=dconf gsettings set org.gnome.desktop.background picture-uri "file:///usr/share/backgrounds/gnome/SundownDunes.jpg"<br />
</pre><br />
You must specify a file which user "gdm" has permission to read. GDM cannot read files in your home directory.<br />
<br />
<div style="margin: 1em 3em;"><br />
Here is a session showing how a user might change the GDM wallpaper using the scripts shown above. It starts with a normal user's terminal and assumes he is able to open a bash session as root. The root user then opens a session as "gdm" and changes the wallpaper.<br />
<br />
$ su -<br />
Password: <br />
<br />
# su - gdm -s /bin/bash<br />
<br />
-bash-4.2$ . prep-gdm-vars # Must use . to execute this script!<br />
<br />
-bash-4.2$ show-avail-gdm-bkgd dangermouse<br />
001.jpg 005.jpg 009.jpg 013.jpg 017.jpg 021.jpg 025.jpg 029.jpg 033.jpg<br />
002.jpg 006.jpg 010.jpg 014.jpg 018.jpg 022.jpg 026.jpg 030.jpg 034.jpg<br />
003.jpg 007.jpg 011.jpg 015.jpg 019.jpg 023.jpg 027.jpg 031.jpg 035.jpg<br />
004.jpg 008.jpg 012.jpg 016.jpg 020.jpg 024.jpg 028.jpg 032.jpg 036.jpg<br />
<br />
-bash-4.2$ show-avail-gdm-bkgd gnome<br />
Aqua.jpg FreshFlower.jpg Spaceflare-nova.jpg Terraform-green.jpg YellowFlower.jpg<br />
Blinds.jpg Garden.jpg Spaceflare-supernova.jpg Terraform-orange.jpg<br />
BlueMarbleWest.jpg GreenMeadow.jpg SundownDunes.jpg TwoWings.jpg<br />
FootFall.png Spaceflare.jpg Terraform-blue.jpg Wood.jpg<br />
<br />
-bash-4.2$ revise-gdm-bkgd gnome/GreenMeadow.jpg<br />
<br />
-bash-4.2$ logout<br />
<br />
# logout<br />
$<br />
<br />
Script '''{{Filename|revise-gdm-bkgd}}''' may also be used to change your normal user background from the command prompt. Admittedly, the script name does not quite fit when used for that purpose.<br />
</div><br />
<br />
==== Turning off the sound ====<br />
<br />
$ GSETTINGS_BACKEND=dconf gsettings set org.gnome.desktop.sound event-sounds false<br />
<br />
==== Remove fingerprint widgets ====<br />
<br />
The GDM login dialog has a couple of icons which appear when password (or fingerprint) authentication is requested. The icons disappear after making a brief appearance, but their presence can be distracting. When you have no fingerprint reader, you may prefer to not see these icons at all.<br />
<br />
GDM authentication icons may be removed by un-checking the option '''<tt>Enable fingerpint reader support.</tt>''' This option is found in the '''Authentication Configuration''' applet:<br />
<br />
# system-config-authentication<br />
<br />
==== GDM keyboard layout ====<br />
<br />
GDM does not know about your GNOME 3 desktop keyboard settings. To change keyboard settings used by GDM, set your layout using Xorg configuration. Refer to this section of the [[Beginners'_Guide#Non-US_keyboard|Beginner's Guide.]]<br />
<br />
==== Automatic program launch upon login ====<br />
<br />
Specify which programs start automatically after login using '''gnome-session-properties.''' This tool is part of the <br />
package '''gnome-session.'''<br />
<br />
$ gnome-session-properties<br />
<br />
== Hidden features ==<br />
<br />
GNOME 3 hides many useful options which you can customize with '''dconf-editor.''' GNOME 3 also supports '''gconf-editor''' for settings that have not yet migrated to dconf.<br />
<br />
=== Changing hotkeys ===<br />
<br />
Firstly, use '''dconf-editor''' to place a checkmark next to <tt>can-change-accels</tt> in the key named ''org.gnome.desktop.interface.''<br />
<br />
We will replace the hotkey — a.k.a. keyboard shortcut, keyboard accelerator — used by Nautilus to move files to the trash folder.<br />
<br />
The default assignment is a somewhat-awkward {{Keypress|Ctrl}} + {{Keypress|Delete}}.<br />
<br />
* Open Nautilus, select any file, and click '''Edit''' on the menu bar.<br />
* Hover over the ''Move to Trash'' menu item.<br />
* While hovering, press {{Keypress|Delete}}. The current accelerator is now unset.<br />
* Press the key that you wish to become the new keyboard accelerator.<br />
* Press {{Keypress|Delete}} to make the new accelerator be the Delete key.<br />
<br />
Unless you select a file or folder, ''Move to Trash'' will be grayed-out. Finally, disable <tt>can-change-accels</tt> to prevent accidental hotkey changes.<br />
<br />
=== Shutdown via the status menu ===<br />
<br />
Presently, GNOME designers have hidden the Shutdown option inside the status menu. To shut down your system with the status menu, click the menu and then press the '''Alt''' key.<br />
<br />
The '''''Suspend''''' item changes to '''''Power Off.''''' Keep pressing Alt and select '''''Power Off...''''' The subsequent dialog allows you to shut down or restart your system.<br />
<br />
If you disable the Suspend menu item system-wide as described [[#Disable_"Suspend"_in_the_status_menu|elsewhere in this document]] you do not have to go through these motions.<br />
<br />
Another option is to install the ''Alternative Status Menu'' extension. See the section on shell extensions. The alternative menu extension installs a new status menu with a non-hidden '''''Power Off''''' entry.<br />
<br />
== Integrated messaging ==<br />
<br />
Empathy, the engine behind integrated messaging, and all system settings based on messaging accounts will not show up unless the '''telepathy''' group of packages or at least one of the backends ('''telepathy-gabble''', or '''telepathy-haze''', for example) is installed.<br />
<br />
These packages are not included in default Arch GNOME installs. The Empathy interface does not send a nice error message; it just fails to work silently. You can install the packages.<br />
<br />
# pacman -S telepathy<br />
<br />
View descriptions of telepathy components on the [http://telepathy.freedesktop.org/wiki/Components Freedesktop.org Telepathy Wiki.]<br />
<br />
== Miscellaneous settings ==<br />
<br />
=== GNOME shell extensions ===<br />
<br />
Gnome Shell can be customized with extensions written by others. These provide features such as a dock or a widget for changing the theme. Details on available extensions are found at the [http://www.webupd8.org/2011/04/gnome-shell-extensions-additional.html WEBUPD8] site.<br />
<br />
You can use AUR package [http://aur.archlinux.org/packages.php?ID=47501 gnome‑shell‑extensions‑git] to install several extensions or install them individually using an extension snapshot. [http://www.archlinux.org/packages/?sort=&q=gnome-shell-extension&maintainer=&last_update=&flagged=&limit=50 Listing here.] Restart GNOME shell after installing an extension.<br />
<br />
=== If an extension breaks GNOME ===<br />
<br />
When enabling shell extensions causes GNOME breakage, you should first remove the ''user-theme'' and ''auto-move-windows'' extensions from their installation directory.<br />
<br />
The installation directory could be one of '''{{Filename|~/.local/share/gnome‑shell/extensions,}}''' '''{{Filename|/usr/share/gnome‑shell/extensions,}}''' or '''{{Filename|/usr/local/share/gnome‑shell/extensions}}'''. Removing these two extension-containing folders may fix the breakage. Otherwise, isolate the problem extension with trial‑and‑error.<br />
<br />
Removing or adding an extension-containing folder to the aforementioned directories removes or adds the corresponding extension to your system. Details on Gnome Shell extensions are available at the [https://live.gnome.org/GnomeShell/Extensions GNOME web site.]<br />
<br />
=== Default terminal ===<br />
<br />
{{codeline|gsettings}}, which replaces {{codeline|gconftool-2}} in GNOME 3, is used to set e. g. the default terminal manually. The setting is relevant for ''nautilus-open-terminal''.<br />
The commands for [[rxvt-unicode|urxvt]] run as daemon:<br />
<br />
gsettings set org.gnome.desktop.default-applications.terminal exec urxvtc<br />
gsettings set org.gnome.desktop.default-applications.terminal exec-arg "'-e'"<br />
<br />
{{Note|For ''nautilus-open-terminal'', you may need a flag (e.g. {{Codeline|-e}}) to indicate that a command will follow: ''nautilus-open-terminal'' passes a {{Codeline|cd}} command in order to change directories to the appropriate location.}}<br />
<br />
=== Middle mouse button ===<br />
<br />
By default, GNOME 3 disables middle mouse button emulation regardless of Xorg settings ('''Emulate3Buttons'''). To enable middle mouse button emulation use:<br />
<br />
gsettings set org.gnome.settings-daemon.peripherals.mouse middle-button-enabled true<br />
<br />
=== Xmonad ===<br />
<br />
[[Xmonad]] is a tiling window manager.<br />
<br />
Upgrading to GNOME 3 will likely break your xmonad setup. You can use xmonad again by [[#Enabling_fallback_mode|forcing fallback mode]] and creating two files:<br />
<br />
: {{file|name=/usr/share/gnome-session/sessions/xmonad.session|content=<nowiki>[GNOME Session]<br />
Name=Xmonad session<br />
RequiredComponents=gnome-panel;gnome-settings-daemon;<br />
RequiredProviders=windowmanager;notifications;<br />
DefaultProvider-windowmanager=xmonad<br />
DefaultProvider-notifications=notification-daemon</nowiki>}}<br />
<br />
: {{file|name=/usr/share/xsessions/xmonad-gnome-session.desktop|content=<nowiki>[Desktop Entry]<br />
Name=Xmonad GNOME<br />
Comment=Tiling window manager<br />
TryExec=/usr/bin/gnome-session<br />
Exec=gnome-session --session=xmonad<br />
Type=XSession</nowiki>}}<br />
<br />
The next time you log in, you should have the ability to choose ''Xmonad GNOME'' as your session.<br />
<br />
== Enabling fallback mode ==<br />
<br />
Your session automatically starts in fallback mode when '''gnome-shell''' is not present, or when your hardware cannot handle graphics acceleration —such as running within a virtual machine or running on old hardware.<br />
<br />
If you wish to enable fallback mode while still having '''gnome-shell''' installed, make the following system change:<br />
<br />
Open '''gnome-control-center.''' Click the ''System Info'' icon. Click Graphics. Change ''Forced Fallback Mode'' to <tt>ON.</tt><br />
<br />
You can alternatively choose the type of session from a terminal with a ''gsettings'' command:<br />
<br />
$ GSETTINGS_BACKEND=dconf gsettings set org.gnome.desktop.session session-name gnome-fallback<br />
<br />
You may want to log out after making the change. You will see the chosen session type upon your next login.<br />
<br />
== Troubleshooting ==<br />
<br />
=== GNOME login takes a very long time ===<br />
<br />
Check if you enabled PulseAudio Network settings in paprefs - If there are any network audio settings enabled, Gnome will hang about a minute after login.<br />
<br />
Another solution is to try a new useraccount or to move $HOME/.gconf $HOME/.gconfd $HOME/.conf/dconf to a backup folder. Try again to login to see if the delay is gone. If it is gone, you have to look what setting causes that delay.<br />
<br />
=== Extensions don't work after GNOME 3 update ===<br />
<br />
Locate the folder where your extensions are installed. It might be '''{{Filename|~/.local/share/gnome-shell/extensions}}''' or '''{{Filename|/usr/share/gnome-shell/extensions}}'''.<br />
<br />
Edit each occurrence of '''{{Filename|metadata.json}}''' which appears in each extension sub-folder. <br />
<br />
{| border="0"<br />
| Insert: || '''<tt>"shell-version": ["3.0"]</tt>'''<br />
|-<br />
| Instead of (for example): || '''<tt>"shell-version": ["3.0.1"]</tt>'''<br />
|-<br />
| You might instead use: || '''<tt>"shell-version": ["3.0.0", "3.0.1", "3.0.2"]</tt>'''<br />
|}<br />
<br />
<br />
'''["3.0"]''' is the best solution. It indicates the extension works with every '''''3.0.x''''' GNOME Shell version.<br />
<br />
=== Screen is not locked after resume ===<br />
<br />
Screen lock only works when you suspend through GNOME's status menu. If you suspend or hibernate using the power button, your screen is not locked after resume. The problem is a configuration failure in dconf.<br />
<br />
Open ''dconf-editor'' and uncheck '''<tt>lock-use-screensaver</tt>''' in the key named ''org.gnome.power-manager.'' Your screen should now be locked after resume whether you used the status menu, the power button, or a key combination. Bug report: [https://bugzilla.redhat.com/show_bug.cgi?id=698135#c8 Screen gets no more locked after suspend #Comment 8]<br />
<br />
=== GTK2+ apps show segfaults and fail to launch ===<br />
<br />
That usually happens when '''oxygen-gtk''' is installed. This theme appears to conflict with GNOME 3 or GTK3 settings. When '''oxygen-gtk''' has been set as a GTK2 theme, GTK2 apps segfault with errors like these:<br />
<br />
<pre> (firefox-bin:14345): GLib-GObject-WARNING **: invalid (NULL) pointer instance<br />
<br />
(firefox-bin:14345): GLib-GObject-CRITICAL **: g_signal_connect_data: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_screen_get_default_colormap: assertion `GDK_IS_SCREEN (screen)' failed<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_colormap_get_visual: assertion `GDK_IS_COLORMAP (colormap)' failed<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_screen_get_default_colormap: assertion `GDK_IS_SCREEN (screen)' failed<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_screen_get_root_window: assertion `GDK_IS_SCREEN (screen)' failed<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_screen_get_root_window: assertion `GDK_IS_SCREEN (screen)' failed<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_window_new: assertion `GDK_IS_WINDOW (parent)' failed<br />
Segmentation fault<br />
</pre><br />
<br />
The current workaround is to remove '''oxygen-gtk''' from the system and use a different theme for applications.<br />
<br />
=== ATI Catalyst driver creates glitches and artifacts ===<br />
<br />
For the moment, Catalyst is not proposed to be used while running GNOME Shell. The opensource ATI driver, xf86-video-ati, however, seems to be working properly with the GNOME 3 composited desktop.<br />
<br />
=== Multiple monitors and dock extension ===<br />
<br />
If you have multiple monitors configured using Nvidia Twinview, the dock extension may get sandwiched in-between the monitors. You can edit the source of this extension to reposition the dock to a position of your choosing.<br />
<br />
Edit '''/usr/share/gnome-shell/extensions/dock@gnome-shell-extensions.gnome.org/extension.js''' and locate this line in the source:<br />
<br />
this.actor.set_position(primary.width-this._item_size-this._spacing-2, (primary.height-height)/2);<br />
<br />
The first parameter is the X position of the dock display, by subtracting 15 pixels as opposed to 2 pixels from this it correctly positioned on my primary monitor, you can play around with any X,Y coordinate pair to position it correctly.<br />
<br />
this.actor.set_position(primary.width-this._item_size-this._spacing-15, (primary.height-height)/2);<br />
<br />
=== No event sounds for Empathy and other programs ===<br />
<br />
If you're using [[OSS]], you may want to install '''libcanberra-oss''' [https://aur.archlinux.org/packages.php?ID=31163 from AUR].<br />
<br />
=== Editing hotkeys via can-change-accels fails ===<br />
<br />
It is also possible to manually change the keys via an application's so-called accel map file. Where it is to be found is up to the application: For instance, Thunar's is at {{Filename|~/.config/Thunar/accels.scm}}, whereas Nautilus's is located at {{Filename|~/.gnome2/accels/nautilus}}. The file should contain a list of possible hotkeys, each unchanged line commented out with a leading ";" that has to be removed for a change to become active.<br />
<br />
=== Panels don't respond to right-click in fallback mode ===<br />
<br />
Check Configuration Editor: /apps/metacity/general/mouse_button_modifier. This modifier key (<Alt>, <Super>, etc) used for normal windows is also used by panels and their applets.<br />
<br />
=== "Show Desktop" keyboard shortcut does not work ===<br />
<br />
GNOME developers treated the corresponding binding as bug (see https://bugzilla.gnome.org/show_bug.cgi?id=643609) due to Minimization being deprecated. To show the desktop again assign ALT+STRG+D to the following setting:<br />
<br />
System Settings --> Keyboard --> Shortcuts --> Windows --> Hide all normal windows<br />
<br />
=== Nautilus does not start ===<br />
<br />
Start gnome-tweak-tool -> File Manager -> Have file manager handle the desktop -> Off<br />
<br />
=== Epiphany does not play flash videos ===<br />
<br />
Epiphany now uses gtk3, but Adobe's Flash Player still relies on gtk2. See [[Epiphany#Flash]] for a workaround involving nspluginwrapper. <br />
<br />
=== Unable to apply stored configuration for monitors ===<br />
<br />
If you encounter this message try to disable the xrandr gnome-settings-daemon plugin :<br />
<br />
dconf write /org/gnome/settings-daemon/plugins/xrandr/active false<br />
<br />
==External links==<br />
* [http://www.gnome.org/ The Official Website]<br />
* Themes, icons, and backgrounds:<br />
** [http://art.gnome.org/ Gnome Art]<br />
** [http://www.gnome-look.org/ Gnome Look]<br />
* GTK/GNOME programs:<br />
** [http://www.gnomefiles.org/ Gnome Files]<br />
** [http://www.gnome.org/projects/ Gnome Project Listing]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Netcfg&diff=146041Netcfg2011-06-14T12:48:03Z<p>Sironitomas: /* Installation */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[fr:Netcfg]]<br />
{{i18n|Netcfg}}<br />
{{Article summary start}}<br />
{{Article summary text|A guide to installing and configuring netcfg &ndash; network configuration and profile scripts.}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Networking overview}}}}<br />
{{Article summary heading|Resources}}<br />
{{Article summary link|netcfg network scripts repository|http://projects.archlinux.org/netcfg.git/}}<br />
{{Article summary end}}<br />
<br />
From the [http://projects.archlinux.org/netcfg.git/tree/man/netcfg.8 netcfg man page]:<br />
<br />
:'''''netcfg''' is used to configure and manage network connections via profiles. It has pluggable support for a range of connection types, such as wireless, ethernet, ppp. It is also capable of starting/stopping many to one connections, that is, multiple connections within the same profile, optionally with bonding.''<br />
<br />
netcfg is useful for users seeking a simple and robust means of managing multiple network configurations (e.g. laptop users). For systems connecting to a single network, the [[network]] daemon may be more appropriate.<br />
<br />
==Preparation==<br />
In the simplest cases, users must at least know the name of their network interface(s) (e.g. '''eth0''', '''wlan0'''). If configuring a static IP address, gateway and name server addresses must also be known.<br />
<br />
If connecting to a wireless network, have some basic information ready. For a wireless network this includes what type of security is used, the network name (ESSID), and any password or encryption keys. Additionally, ensure the proper drivers and firmware are installed for the wireless device, as described in [[Wireless Setup]].<br />
<br />
==Installation==<br />
Ensure you have the latest version of netcfg installed. Older versions have more bugs and may not work well with the latest drivers. The {{Package Official|netcfg}} package is available in '''core''':<br />
<br />
# pacman -S netcfg<br />
<br />
As of version 2.5.x, optional dependencies include {{Package Official|wpa_actiond}} &ndash; required for automatic/roaming wireless connection &ndash; and {{Package Official|ifplugd}} &ndash; required for automatic ethernet configuration. ([http://www.archlinux.org/news/487/ More information].)<br />
<br />
# pacman -S wpa_actiond ifplugd<br />
<br />
If you want to have bash completion support for netcfg:<br />
<br />
# pacman -S bash-completion<br />
<br />
==Configuration==<br />
Network profiles are stored in the {{Filename|/etc/network.d}} directory. To minimize the potential for errors, copy an example configuration from {{Filename|/etc/network.d/examples/}} to {{Filename|/etc/network.d/mynetwork}}. The file name is the name of the network profile ("mynetwork" is used as an example throughout this article). The name is not a network setting and does not need to match the wireless network name (SSID).<br />
<br />
Depending on the connection type and security, use one of the following examples from {{Filename|/etc/network.d/examples}} as a base. Be wary of examples found on the Internet as they often contain deprecated options that may cause problems.<br />
<br />
{| border="1"<br />
! Connection type/security !! Example profile<br />
|-<br />
| Wireless; WEP hex key || {{Filename|wireless-wep}}<br />
|-<br />
| Wireless; WEP string key || {{Filename|wireless-wep-string-key}}<br />
|-<br />
| Wireless; WPA personal (passphrase) || {{Filename|wireless-wpa}}<br />
|-<br />
| Wireless; WPA enterprise || {{Filename|wireless-wpa-config}} (wpa_supplicant configuration is external) <br /> {{Filename|wireless-wpa-configsection}} (wpa_supplicant configuration stored as string)<br />
|-<br />
| Wired; DHCP || {{Filename|ethernet-dhcp}}<br />
|-<br />
| Wired; static IP || {{Filename|ethernet-static}}<br />
|-<br />
| Wired; iproute configuration || {{Filename|ethernet-iproute}}<br />
|}<br />
<br />
Next, modify the new configuration file, {{Filename|/etc/network.d/mynetwork}}:<br />
<br />
* Set {{Codeline|INTERFACE}} to the correct wireless or ethernet interface. This can be checked with {{Codeline|ifconfig}} and {{Codeline|iwconfig}}.<br />
* Ensure the {{Codeline|ESSID}} and {{Codeline|KEY}} (passphrase) are set correctly for wireless connections. Typos in these fields are common errors.<br />
** Note that WEP ''string'' keys (not ''hex'' keys) must be specified with a leading {{Codeline|s:}} (e.g. {{Codeline|<nowiki>KEY="s:somepasskey"</nowiki>}}).<br />
<br />
{{Note | Netcfg configurations are valid Bash scripts. Any configuration involving special characters such as $ or \ needs to be quoted correctly otherwise it will be interpreted by Bash. To avoid interpretation, use single quotes or backslash escape characters where appropriate. }}<br />
<br />
{{Note | Network information (e.g. wireless passkey) will be stored in plain text format, so users may want to change the permissions on the newly created profile (e.g. {{Codeline|chmod 0600 /etc/network.d/mynetwork}} to make it readable by root only).}}<br />
<br />
{{Note | For WPA personal, it is also possible to use WPA passkey encoded into a hexadecimal string, instead of plain text passkey.<br />
Follow the procedure on the [[Wpa_supplicant#Classic_method:_wpa_supplicant.conf|WPA supplicant page's 1st example exercise]] to generate a hexadecimal string from you WPA passkey.<br><br />
Save the new hexadecimal string into your wireless WPA profile in {{Codeline|/etc/network.d/mynetwork}} as the value of KEY variable (make sure this will be the only KEY variable enabled), to look similar to this (replace the string with your one):<br />
<pre>KEY='7b271c9a7c8a6ac07d12403a1f0792d7d92b5957ff8dfd56481ced43ec6a6515'</pre><br />
That should do it, without the need to reveal the passkey.<br><br />
}}<br />
<br />
==Usage==<br />
To connect a profile:<br />
# netcfg mynetwork<br />
<br />
To disconnect a profile:<br />
# netcfg down <profile-name><br />
<br />
If successful, users can configure netcfg to connect automatically or during boot. If the connection fails, see [[#Troubleshooting]] for solutions and how to get help.<br />
<br />
For other functions, see:<br />
$ netcfg help<br />
<br />
==Connecting automatically==<br />
Several methods are available to users wanting to automatically connect network profiles (e.g. during boot or whilst roaming). Note that a network profile must be properly configured within the {{Filename|/etc/network.d}} directory ''first'' (see [[#Configuration]]).<br />
<br />
{{Tip|If enabling one of the following daemons and nothing is configured within the {{Codeline|INTERFACES}} array in {{Filename|rc.conf}}, you may remove the {{Codeline|network}} daemon from the {{Codeline|DAEMONS}} array. If you mount NFS shares during boot, ensure the {{Codeline|netfs}} daemon remains listed, though (otherwise the network will be dropped before unmounting shares during shutdown).}}<br />
<br />
===net-profiles===<br />
'''{{Codeline|net-profiles}} allows users to connect profiles during boot.'''<br />
<br />
To enable this feature, users must add {{Codeline|net-profiles}} to the {{Codeline|DAEMONS}} array in [[rc.conf]] and specify profiles to try in the {{Codeline|NETWORKS}} array:<br />
<br />
{{File<br />
|name=/etc/rc.conf<br />
|content=<nowiki><br />
NETWORKS=(mynetwork yournetwork)<br />
<br />
...<br />
<br />
DAEMONS=(... net-profiles ...)<br />
</nowiki>}}<br />
<br />
Alternatively, {{Codeline|net-profiles}} can be configured to display a menu &ndash; allowing users to choose a desired profile &ndash; by setting the contents of the {{Codeline|NETWORKS}} array to {{Codeline|menu}}:<br />
<br />
{{File<br />
|name=/etc/rc.conf<br />
|content=<nowiki><br />
NETWORKS=(menu)<br />
<br />
...<br />
<br />
DAEMONS=(... net-profiles ...)<br />
</nowiki>}}<br />
<br />
Additionally, the {{Package Official|dialog}} package is required.<br />
<br />
{{Tip|Access the menu at any time by running {{Codeline|netcfg-menu}} in a terminal.}}<br />
<br />
===net-auto-wireless===<br />
'''{{Codeline|net-auto-wireless}} allows users to automatically connect to wireless networks with proper roaming support.'''<br />
<br />
To enable this feature, users must add {{Codeline|net-auto-wireless}} to the {{Codeline|DAEMONS}} array in [[rc.conf]] and specify the desired wireless interface with the {{Codeline|WIRELESS_INTERFACE}} variable:<br />
<br />
{{File<br />
|name=/etc/rc.conf<br />
|content=<nowiki><br />
WIRELESS_INTERFACE="wlan0"<br />
<br />
...<br />
<br />
DAEMONS=(... net-auto-wireless ...)<br />
</nowiki>}}<br />
<br />
Additionally, the {{Package Official|wpa_actiond}} package is required. Note that wpa-config profiles does not work with net-auto-wireless. Convert them to wpa-configsection instead.<br />
<br />
===net-auto-wired===<br />
'''{{Codeline|net-auto-wired}} allows users to automatically connect to wired networks.'''<br />
<br />
To enable this feature, users must install ifplugd <br />
<br />
# pacman -S ifplugd<br />
<br />
and add {{Codeline|net-auto-wired}} to the {{Codeline|DAEMONS}} array in [[rc.conf]] and specify the desired wired interface with the {{Codeline|WIRED_INTERFACE}} variable:<br />
<br />
{{File<br />
|name=/etc/rc.conf<br />
|content=<nowiki><br />
WIRED_INTERFACE="eth0"<br />
<br />
...<br />
<br />
DAEMONS=(... net-auto-wired ...)<br />
</nowiki>}}<br />
<br />
The daemon starts an ifplugd process which runs {{Filename|/etc/ifplugd/netcfg.action}} when the status of the wired interface changes (e.g. a cable is plugged in or unplugged). On plugging in a cable, attempts are made to start any profiles with CONNECTION = "ethernet" or "ethernet-iproute" and INTERFACE = WIRED_INTERFACE until one of them succeeds.<br />
<br />
Note: DHCP profiles are tried before static ones, which could lead to undesired results in some cases.<br />
<br />
Note2: The net-auto-wired daemon cannot start multiple ifplugd processes for multiple interfaces (unlike ifplugd's own /etc/rc.d/ifplugd which can).<br />
<br />
==Tips and tricks==<br />
<br />
===Passing arguments to iwconfig before connecting===<br />
Simply add the following to a profile:<br />
<br />
IWCONFIG="<arguments>"<br />
<br />
Where {{Codeline|<arguments>}} can be any valid {{Codeline|iwconfig}} argument. The script then runs {{Codeline|iwconfig $INTERFACE $IWCONFIG}}.<br />
<br />
For example, force the card to register to a specific access point given by MAC address:<br />
IWCONFIG="ap 12:34:56:78:90:12"<br />
<br />
This supersedes the {{Codeline|IWOPTS}} and {{Codeline|WEP_OPTS}} options which were incompletely implemented.<br />
<br />
===rfkill (enable/disable radio power)===<br />
netcfg can enable/disable radio for wireless cards equipped with software control of radio. For wireless cards with hardware switches, netcfg can detect disabled hardware switches and fail accordingly.<br />
<br />
To enable rfkill support, you need to specify what sort of switch the wireless interface has; hardware or software. This can be set within a profile or at the interface level ({{Filename|/etc/network.d/interfaces/$INTERFACE}}; see [[#Per-interface configuration]]). <br />
<br />
RFKILL=soft # can be either 'hard' or 'soft'<br />
<br />
For some kill switches the rfkill entry in {{Filename|/sys}} is not linked to the interface and the {{Codeline|RFKILL_NAME}} variable needs to be set to the contents of the matching {{Filename|/sys/class/rfkill/rfkill#/name}}.<br />
<br />
For example, on an Eee PC:<br />
<br />
RFKILL=soft<br />
RFKILL_NAME='eeepc-wlan'<br />
<br />
On a mid-2011 Thinkpad:<br />
<br />
RFKILL=hard<br />
RFKILL_NAME='phy0'<br />
<br />
===Execute commands before/after interface up/down===<br />
If your interface requires special actions prior/after the establishment/closure of a connection, you may use the {{Codeline|PRE_UP}}, {{Codeline|POST_UP}}, {{Codeline|PRE_DOWN}}, and {{Codeline|POST_DOWN}} variables.<br />
<br />
For example, if you want to configure your wireless card to operate in ad-hoc mode but you can only change modes when the interface is down, you could use something like this:<br />
<br />
PRE_UP="ifconfig wlan0 down; iwconfig wlan0 mode ad-hoc"<br />
<br />
Or if you want to mount your network shares after a successful connection, you could use:<br />
<br />
POST_UP="sleep 5; mount /mnt/shares/nexus/utorrent 2>/dev/null"<br />
<br />
Sometimes you may want to run something from netcfg with another user:<br />
<br />
POST_UP="su -c '/you/own/command' username"<br />
<br />
{{Note|If the commands specified in these properties return anything other than 0 (success), netcfg aborts the current operation. So if you want to mount a certain network share that might not be available at the time of connection (thus returning an error), you could create a separate Bash script with the mount commands and a {{Codeline|exit 0}} at the end. Alternatively you can add {{Codeline|<nowiki>|| true</nowiki>}} to the end of the command that may fail.}}<br />
<br />
===Intermittent Connection Failure===<br />
Some driver+hardware combinations drop associations sometimes. Use the pre and post<br />
commands to add/remove the driver and use a script like the following <br />
to fix the current connection:<br />
<br />
{{File<br />
|name=/usr/local/bin/netcfgd<br />
|content=<nowiki><br />
#!/bin/bash<br />
log() { logger -t "$( basename $0 )" "$*" ; }<br />
<br />
main() {<br />
local host<br />
while sleep 1; do<br />
[[ "$( netcfg current )" = "" ]] && continue<br />
<br />
host=$( route -n | awk '/^0.0.0.0/ { print $2 }' )<br />
ping -c 1 $host && continue<br />
<br />
log "trying to reassociate"<br />
wpa_cli reassociate<br />
ping -c 1 $host && continue<br />
<br />
log "reassociate failed, reconfiguring network"<br />
netcfg -r $( netcfg current )<br />
done<br />
}<br />
<br />
exec 1>/dev/null<br />
[[ $EUID != 0 ]] && { log "must be root"; exit 1; }<br />
<br />
for cmd in wpa_cli ping netcfg; do<br />
! which $cmd && {<br />
log "can't find command ${cmd}, exiting..."<br />
exit 1<br />
}<br />
done<br />
<br />
log 'starting...'<br />
main <br />
<br />
</nowiki>}}<br />
<br />
===Per-interface configuration===<br />
Configuration options that apply to all profiles using an interface can be set using {{Filename|/etc/network.d/interfaces/$INTERFACE}}. For example:<br />
<br />
/etc/network.d/interfaces/wlan0<br />
<br />
This is useful for {{Codeline|wpa_supplicant}} options, rfkill switch support, pre/post up/down scripts and {{Codeline|net-auto-wireless}}. These options are loaded ''before'' profiles so that any profile-based options will take priority.<br />
<br />
{{Filename|/etc/network.d/interfaces/$INTERFACE}} may contain any valid profile option, though you are likely to use {{Codeline|PRE_UP}}/{{Codeline|DOWN}} and {{Codeline|POST_UP}}/{{Codeline|DOWN}} (described in the previous section) or one of the options listed below. Remember that these options are set for ''all'' profiles using the interface; you probably do not want to connect to your work VPN here, for instance, as it will try to connect on ''every'' wireless network!<br />
<br />
WPA_GROUP - Setting the group of the wpa_ctrl interface<br />
WPA_COUNTRY - Enforces local regulatory limitations and allows use of more channels<br />
WPA_DRIVER - Defaults to wext, may want nl80211 for mac80211 devices<br />
<br />
{{Note|{{Codeline|POST_UP}}/{{Codeline|POST_DOWN}} require the {{Package Official|wpa_actiond}} package.}}<br />
<br />
===Output hooks===<br />
netcfg has limited support to load hooks that handle output. By default it loads the {{Filename|arch}} hook which provides the familiar output that you see. A syslog logging hook is also included. These can be found at {{Filename|/usr/lib/network/hooks}}.<br />
<br />
===ArchAssistant (GUI)===<br />
<br />
A Qt-based netcfg front-end called ArchAssistant exists. It proposes to manage and connect/disconnect profiles from a systray icon. Automatic wireless detection is also available. This tool is particularly useful for laptop users.<br />
<br />
Links:<br />
<br />
* [http://aur.archlinux.org/packages.php?ID=15655 archassistant in the AUR] <br />
* [http://www.kde-apps.org/content/show.php/ArchAssistant?content=76760 archassistant on kde-apps.org] <br />
<br />
There is also a relatively new GUI for netcfg2 on qt-apps.org that does only network configuration. You can find it [http://www.qt-apps.org/content/show.php/netcfgGUI?content=99523 here].<br />
<br />
===wifi-select===<br />
<br />
There is a console tool for selecting wireless networks in "real-time" (in NetworkManager manner) called <tt>wifi-select</tt>. The tool is convenient for use in Internet cafés or other places you are visiting for the first (and maybe the last) time. With this tool, you do not need to create a profile for a new network, just type {{Codeline|sudo wifi-select wlan0}} and choose the network you need. <br />
<br />
The tool is currently packaged and available in [community] repository. To install:<br />
<br />
# pacman -S wifi-select<br />
<br />
<tt>wifi-select</tt> does the following:<br />
* parses <tt>iwlist scan</tt> results and presents list of networks along with its security settings (WPA/WEP/none) using <tt>dialog</tt><br />
* if user selects network with existing profile -- just use this profile to connect with <tt>netcfg</tt><br />
* if user selects a new network (for example, WiFi hotspot), <tt>wifi-select</tt> automatically generates new profile with corresponding <tt>$SECURITY</tt> and asks for the key (if needed). It uses DHCP as <tt>$IP</tt> by default<br />
* then, if connection succeeds, profile is saved for later usage<br />
* if connection fails, user is asked if he/she wants to keep generated profile for further usage (for example to change <tt>$IP</tt> to static or adjust some additional options)<br />
<br />
Links: <br />
<br />
* [http://bbs.archlinux.org/viewtopic.php?id=63973 Forum thread] related to development of <tt>wifi-select</tt><br />
* [http://hg.horna.org.ua/wifi-select/ wifi-select Mercurial repository]<br />
* [https://github.com/sphynx/wifi-select wifi-select on GitHub]<br />
<br />
===Using dhclient instead of dhcpcd===<br />
<br />
Simply add<br />
DHCLIENT=yes<br />
in the desired profile.<br />
<br />
==Troubleshooting==<br />
<br />
===Debugging===<br />
To run netcfg with debugging output, set the {{Codeline|NETCFG_DEBUG}} environment variable to {{Codeline|"yes"}}, for example:<br />
<br />
# NETCFG_DEBUG="yes" netcfg <arguments><br />
<br />
Debugging information for wpa_supplicant can be logged using {{Codeline|WPA_OPTS}} within a profile, for example:<br />
<br />
WPA_OPTS="-f/path/to/log"<br />
<br />
Whatever is entered here will be added to the command when wpa_supplicant is called.<br />
<br />
===Network unavailable===<br />
This error is typically due to:<br />
* Out of range; or<br />
* Driver issue.<br />
<br />
===Wireless association failed===<br />
This error is typically due to:<br />
* Out of range/reception;<br />
* Incorrect configuration;<br />
* Invalid key;<br />
* Driver problem; or<br />
* Trying to connect to a hidden network.<br />
<br />
If the connection problem is due to poor reception, increase the {{Codeline|TIMEOUT}} variable in {{Filename|/etc/network.d/mynetwork}}, such as:<br />
TIMEOUT=60<br />
<br />
If an AP with a hidden SSID is used, try:<br />
PRE_UP='iwconfig $INTERFACE essid $ESSID'<br />
<br />
===Unable to get IP address with DHCP===<br />
This error is typically due to:<br />
* Out of range/reception<br />
<br />
Try increasing {{Codeline|DHCP_TIMEOUT}} variable in your network {{Filename|/etc/network.d/profile}}.<br />
<br />
===Not a valid connection, check spelling or look at examples===<br />
You must set {{Codeline|CONNECTION}} to one of the connection types listed in the {{Filename|/usr/lib/network/connections}} directory. Alternatively, use one of the provided configuration examples in {{Filename|/etc/network.d/examples}}.<br />
<br />
===Driver quirks===<br />
{{Note|You most likely do '''not''' need quirks; ensure your configuration is correct before considering them. Quirks are intended for a small range of drivers with unusual issues, many of them older versions. These are workarounds, not solutions.}}<br />
<br />
Some drivers behave oddly and need workarounds to connect. Quirks must be enabled manually. They are best determined by reading the forums, seeing what others have used, and, if that fails, trial and error. Quirks can be combined.<br />
<br />
; {{Codeline|prescan}}: Run {{Codeline|iwlist $INTERFACE scan}} before attempting to connect (broadcom)<br />
; {{Codeline|preessid}}: Run {{Codeline|iwconfig $INTERFACE essid $ESSID}} before attempting to connect (ipw3945, broadcom and Intel PRO/Wireless 4965AGN)<br />
; {{Codeline|wpaessid}}: Same as previous, run before starting {{Codeline|wpa_supplicant}}. Not supported anymore - use <pre>IWCONFIG="essid $ESSID"</pre> instead. (ath9k)<br />
; {{Codeline|predown}}: Take interface down before association and then restore it after (madwifi)<br />
; {{Codeline|postsleep}}: Sleep one second before checking if the association was successful<br />
; {{Codeline|postscan}}: Run {{Codeline|iwlist scan}} after associating <br />
<br />
Add the required quirks to the netcfg configuration file {{Filename|/etc/network.d/mynetwork}}, for example:<br />
QUIRKS=(prescan preessid)<br />
<br />
If you receive "Wireless network not found", "Association failed" errors and have tried the above, or if an AP with a hidden SSID is used, see the above section [[#Wireless association failed]].<br />
<br />
===Ralink legacy drivers rt2500, rt2400 that use iwpriv===<br />
There is no plans to add WPA support to these drivers. rt2x00 is supported, however, and will replace these.<br />
<br />
If you must use them, create a shell script that runs the needed {{Codeline|iwpriv}} commands and put its path in {{Codeline|PRE_UP}}.<br />
<br />
===find: "/var/run/network//suspend/": No such file or directory===<br />
If you get this error message then don't bother because it is a known bug. Create the directory by hand.<br />
<br />
===It still doesn't work, what do I do?===<br />
If this article did not help solve your problem, the next best place to ask for help is the forums or the mailing list. <br />
<br />
To be able to determine the problem, we need information. When you ask, provide the following output:<br />
* '''ALL OUTPUT FROM netcfg'''<br />
** This is absolutely crucial to be able determine what went wrong. The message might be short or non-existent, but it can mean a great deal. <br />
* '''{{Filename|/etc/network.d}} network profiles'''<br />
** This is also crucial as many problems are simple configuration issues. Feel free to censor your wireless key.<br />
* '''netcfg version'''<br />
* {{Codeline|lsmod}}<br />
* {{Codeline|iwconfig}}<br />
<br />
==FAQ==<br />
{{FAQ<br />
|question=Why doesn't netcfg do ''(some feature)''?<br />
|answer=netcfg doesn't need to; it connects to networks. netcfg is modular and re-usable; see {{Filename|/usr/lib/network}} for reusable functions for custom scripts.}}<br />
<br />
{{FAQ<br />
|question=Why doesn't netcfg behave in ''this'' way?<br />
|answer=netcfg doesn't enforce any rules; it connects to networks. It doesn't impose any heuristics, like "disconnect from wireless if ethernet is connected". If you want behaviour like that, it should be simple to write a separate tool over netcfg. See the question above.}}<br />
<br />
{{FAQ<br />
|question=Do I still need ''(some thing)'' if I'm using netcfg?<br />
|answer=This question usually references {{Filename|/etc/hosts}} and the {{Codeline|HOSTNAME}} variable in {{Filename|/etc/rc.conf}}, which are both still required. You may remove {{Codeline|network}} from the {{Codeline|DAEMONS}} array if you've configured all your networks with netcfg, though.}}</div>Sironitomashttps://wiki.archlinux.org/index.php?title=NFSv4&diff=141118NFSv42011-05-11T22:24:43Z<p>Sironitomas: /* Mounting the partitions on the client */</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
{{i18n_links_start}}<br />
{{i18n_entry|English|NFSv4}}<br />
{{i18n_entry|简体中文|Nfsv4(简体中文)}}<br />
{{i18n_entry|繁体中文|Nfsv4繁体中文}}<br />
{{i18n_links_end}}<br />
{{merge|Nfs}}<br />
'''NFSv4''', ''n''etwork ''f''ile ''s''ystem ''v''ersion 4, is the new version of NFS (for setting up the older NFSv3, see [[Nfs]]) with new features like strong authentication and integrity via Kerberos and SPKM-3, improved performance, safe file caching, lock migration, UTF-8, ACLs and better support for Windows file sharing semantics.<br />
<br />
This article covers installing and configuring NFSv4.<br />
<br />
==Installing==<br />
Both client and servers require the {{package Official|nfs-utils}} package. Install with [[pacman]]:<br />
# pacman -S nfs-utils<br />
<br />
==Configuring==<br />
===Server===<br />
The server configuration is very thorough.<br />
<br />
====Exports====<br />
First we'll need to edit our exports in {{Filename|/etc/exports}}.<br />
A typical NFSv4 export would look like this:<br />
/export 192.168.0.12(rw,fsid=0,no_subtree_check,async,no_root_squash)<br />
/export/music 192.168.0.12(rw,no_subtree_check,async,no_root_squash)<br />
<br />
{{Note | To allow ranges of addresses, the old-style 192.168.0.*-Scheme is ''no longer'' supported with nfs4. Use 192.168.0.0/24 or somesuch to specify such exports. (This did work with non-nfs4-exports, and no longer does. ''The error reported is "no such file or directory"'' when mounting, which makes troubleshooting a pain.)}}<br />
/export is the NFS root here (due to the {{Codeline|fsid&#61;0}} entry). Everything else that you want to be shared over NFS must be accessible under /export.<br />
{{Note | Setting an NFS root seems to be required.}}<br />
<br />
For exporting directories outside the NFS root, see below.<br />
<br />
{{Note | The {{Codeline|no_root_squash}} option means that root on the client is also considered root on the server. This is of course a security risk. Remove it if you don't need it.}}<br />
<br />
=====Exporting directories outside your NFS root=====<br />
To do this, you'll need to use bind mounts. For example, to bind /home/john to /export/john:<br />
# mount --bind /home/john /export/john<br />
Then, /export/john needs to be added to {{Filename|/etc/exports}}:<br />
/export 192.168.0.12(rw,fsid=0,no_subtree_check,async,no_root_squash)<br />
/export/music 192.168.0.12(rw,no_subtree_check,async,no_root_squash)<br />
/export/john 192.168.0.12(rw,no_subtree_check,async,no_root_squash,'''nohide''')<br />
The {{Codeline|nohide}} option is '''required''', because the kernel NFS server automatically hides mounted directories. <br />
To add the bind mount to {{Filename|/etc/fstab}}:<br />
/home/john /export/john none bind 0 0<br />
<br />
====ID mapping====<br />
Then, {{Filename|/etc/idmapd.conf}} needs to be edited. You'll need to at the very least specify your Domain there. Example:<br />
[General]<br />
<br />
Verbosity = 1<br />
Pipefs-Directory = /var/lib/nfs/rpc_pipefs<br />
'''Domain = archlinux.org'''<br />
<br />
[Mapping]<br />
<br />
Nobody-User = nobody<br />
Nobody-Group = nobody<br />
<br />
====/etc/hosts.allow====<br />
To allow network access to the nfs server you should edit /etc/hosts.allow. The following example opens these services to anyone:<br />
nfsd: ALL<br />
rpcbind: ALL<br />
mountd:ALL<br />
<br />
This is a very insecure way of allowing host access. To get better control over who is allowed to access the daemons, hosts.deny should be everyone, and hosts.allow should specifically allow certain people. In this example, 192.168.0.101 should be the IP address of the person(s) allowed to access it. The numbers after the '/' is the netmask:<br />
nfsd: 192.168.0.101/255.255.255.255<br />
rpcbind: 192.168.0.101/255.255.255.255<br />
mountd: 192.168.0.101/255.255.255.255<br />
<br />
This examples enables access for anyone on that network:<br />
nfsd: 192.168.0.0/255.255.255.0<br />
rpcbind: 192.168.0.0/255.255.255.0<br />
mountd: 192.168.0.0/255.255.255.0<br />
<br />
For finer control, read the hosts_access(5) man page.<br />
<br />
====Starting the server====<br />
To start the NFS server, just do:<br />
# /etc/rc.d/rpcbind start<br />
# /etc/rc.d/nfs-common start<br />
# /etc/rc.d/nfs-server start<br />
If you want to tweak the configuration, feel free to edit {{Filename|/etc/conf.d/nfs-server.conf}} to fit your needs.<br />
<br />
===Client===<br />
The client configuration is more simple.<br />
<br />
====Client ID mapping====<br />
<br />
{{Filename|/etc/idmapd.conf}} needs to be edited on all clients '''and the Domain entry should be identical to the one on the server'''. Example:<br />
[General]<br />
<br />
Verbosity = 1<br />
Pipefs-Directory = /var/lib/nfs/rpc_pipefs<br />
'''Domain = archlinux.org'''<br />
<br />
[Mapping]<br />
<br />
Nobody-User = nobody<br />
Nobody-Group = nobody<br />
<br />
[Translation]<br />
Method = nsswitch<br />
<br />
{{note | On a client only setup make sure rpc.idmapd is running. The nfs-common daemon usually auto-detects whether rpc.idmapd has to be started, but it might fail if there aren't any nfs4 mount entries in {{Filename|/etc/fstab}} or if {{Filename|/etc/exports}} is empty (which both might be the case if you are using [[autofs]] to mount the nfs4 shares).<br />
In this case set '''NEED_IDMAPD&#61;&quot;yes&quot;''' in {{Filename|/etc/conf.d/nfs-common.conf}}. }}<br />
<br />
====/etc/hosts.allow====<br />
You will need to allow rpcbind for the server's ip:<br />
rpcbind: 192.168.0.100/255.255.255.255<br />
<br />
====Mounting the partitions on the client====<br />
On the client, to mount the NFSv4 partition:<br />
Make sure that nfs module is loaded. (lsmod | grep nfs). If not execute the next command "modprobe nfs"<br />
# /etc/rc.d/rpcbind start<br />
# /etc/rc.d/nfs-common start<br />
# mount -t nfs4 server:/ /mnt/server/<br />
# mount -t nfs4 server:/music /mnt/music/<br />
# mount -t nfs4 server:/john /mnt/john<br />
Replacing 'server' with the hostname or IP address of your NFS server and of course 'server', 'music' and 'john' with the names of whatever directories you exported on the server.<br />
<br />
If you want the NFS volumes to mount automatically on bootup, add them to {{Filename|fstab}}. For example:<br />
server:/ /mnt/server nfs4 async,user 0 0<br />
Remember to add netfs in the daemons array at /etc/rc.conf in order to mount nfs volumes at boot.<br />
<br />
{{note|the root of the path on the server is the NFS root specified; all paths must be specified relative to it.}}<br />
<br />
===Client &amp; Server: Time Synchronization===<br />
In order for NFS to function properly, both server and client must have closely matching time values. If the clocks on the clients differ from the server too much, then basic functions like file copy operations may hang for a very long time leaving the system unusable until they resume. The clocks do not have to match to micro/nano second accuracies, but ideally they should be within 1 second of each other. <br />
<br />
The [[NTP]] system is recommended to sync both the server and the clients to the highly accurate NTP servers available on the Internet. For a small system like a home network, the ntpdate utility may be used to sync both servers and clients to the same time. For a larger installation, it may be desirable to install an OpenNTP server (see [[NTP]]) onto the same machine acting as the NFS server, and then all clients on the network would sync time values from the server. This has the advantage of lowering the stress on the external NTP servers, and in assuring that the NFS clients will use the exact time that the NFS server has, even if the NFS server experiences some drift.<br />
<br />
==Troubleshooting==<br />
''Common problems and how to overcome them''<br />
<br />
===messages.log contains "nfsdopenone: Opening /proc/net/rpc/nfs4.nametoid/channel failed: errno 2 (No such file or directory)"===<br />
Add 'nfsd' to /etc/rc.conf modules array (NOTE: you may need to add "Verbosity = 3" to /etc/idmapd.conf and restart the services above to receive the error)<br />
<br />
===exportfs: /etc/exports:2: syntax error: bad option list===<br />
Delete all space from the option list in /etc/exports<br />
<br />
===mount.nfs4: No such device===<br />
Check that you have loaded nfs module<br />
lsmod | grep nfs<br />
and if previous returns empty or only nfsd-stuff, do<br />
modprobe nfs<br />
<br />
===mount.nfs4: access denied by server while mounting===<br />
Check that the permissions on your client's folder are correct ('755' worked for me --[[User:Zenlord|Zenlord]] 12:01, 7 May 2010 (EDT))</div>Sironitomashttps://wiki.archlinux.org/index.php?title=NFSv4&diff=140119NFSv42011-05-06T12:44:42Z<p>Sironitomas: /* Client */ Added example nfs line of fstab</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:HOWTOs (English)]]<br />
{{i18n_links_start}}<br />
{{i18n_entry|English|NFSv4}}<br />
{{i18n_entry|简体中文|Nfsv4(简体中文)}}<br />
{{i18n_entry|繁体中文|Nfsv4繁体中文}}<br />
{{i18n_links_end}}<br />
{{merge|Nfs}}<br />
'''NFSv4''', ''n''etwork ''f''ile ''s''ystem ''v''ersion 4, is the new version of NFS (for setting up the older NFSv3, see [[Nfs]]) with new features like strong authentication and integrity via Kerberos and SPKM-3, improved performance, safe file caching, lock migration, UTF-8, ACLs and better support for Windows file sharing semantics.<br />
<br />
This article covers installing and configuring NFSv4.<br />
<br />
==Installing==<br />
Both client and servers require the {{package Official|nfs-utils}} package. Install with [[pacman]]:<br />
# pacman -S nfs-utils<br />
<br />
==Configuring==<br />
===Server===<br />
The server configuration is very thorough.<br />
<br />
====Exports====<br />
First we'll need to edit our exports in {{Filename|/etc/exports}}.<br />
A typical NFSv4 export would look like this:<br />
/export 192.168.0.12(rw,fsid=0,no_subtree_check,async,no_root_squash)<br />
/export/music 192.168.0.12(rw,no_subtree_check,async,no_root_squash)<br />
<br />
{{Note | To allow ranges of addresses, the old-style 192.168.0.*-Scheme is ''no longer'' supported with nfs4. Use 192.168.0.0/24 or somesuch to specify such exports. (This did work with non-nfs4-exports, and no longer does. ''The error reported is "no such file or directory"'' when mounting, which makes troubleshooting a pain.)}}<br />
/export is the NFS root here (due to the {{Codeline|fsid&#61;0}} entry). Everything else that you want to be shared over NFS must be accessible under /export.<br />
{{Note | Setting an NFS root seems to be required.}}<br />
<br />
For exporting directories outside the NFS root, see below.<br />
<br />
{{Note | The {{Codeline|no_root_squash}} option means that root on the client is also considered root on the server. This is of course a security risk. Remove it if you don't need it.}}<br />
<br />
=====Exporting directories outside your NFS root=====<br />
To do this, you'll need to use bind mounts. For example, to bind /home/john to /export/john:<br />
# mount --bind /home/john /export/john<br />
Then, /export/john needs to be added to {{Filename|/etc/exports}}:<br />
/export 192.168.0.12(rw,fsid=0,no_subtree_check,async,no_root_squash)<br />
/export/music 192.168.0.12(rw,no_subtree_check,async,no_root_squash)<br />
/export/john 192.168.0.12(rw,no_subtree_check,async,no_root_squash,'''nohide''')<br />
The {{Codeline|nohide}} option is '''required''', because the kernel NFS server automatically hides mounted directories. <br />
To add the bind mount to {{Filename|/etc/fstab}}:<br />
/home/john /export/john none bind 0 0<br />
<br />
====ID mapping====<br />
Then, {{Filename|/etc/idmapd.conf}} needs to be edited. You'll need to at the very least specify your Domain there. Example:<br />
[General]<br />
<br />
Verbosity = 1<br />
Pipefs-Directory = /var/lib/nfs/rpc_pipefs<br />
'''Domain = archlinux.org'''<br />
<br />
[Mapping]<br />
<br />
Nobody-User = nobody<br />
Nobody-Group = nobody<br />
<br />
====/etc/hosts.allow====<br />
To allow network access to the nfs server you should edit /etc/hosts.allow. The following example opens these services to anyone:<br />
nfsd: ALL<br />
rpcbind: ALL<br />
mountd:ALL<br />
<br />
This is a very insecure way of allowing host access. To get better control over who is allowed to access the daemons, hosts.deny should be everyone, and hosts.allow should specifically allow certain people. In this example, 192.168.0.101 should be the IP address of the person(s) allowed to access it. The numbers after the '/' is the netmask:<br />
nfsd: 192.168.0.101/255.255.255.255<br />
rpcbind: 192.168.0.101/255.255.255.255<br />
mountd: 192.168.0.101/255.255.255.255<br />
<br />
This examples enables access for anyone on that network:<br />
nfsd: 192.168.0.0/255.255.255.0<br />
rpcbind: 192.168.0.0/255.255.255.0<br />
mountd: 192.168.0.0/255.255.255.0<br />
<br />
For finer control, read the hosts_access(5) man page.<br />
<br />
====Starting the server====<br />
To start the NFS server, just do:<br />
# /etc/rc.d/rpcbind start<br />
# /etc/rc.d/nfs-common start<br />
# /etc/rc.d/nfs-server start<br />
If you want to tweak the configuration, feel free to edit {{Filename|/etc/conf.d/nfs-server.conf}} to fit your needs.<br />
<br />
===Client===<br />
The client configuration is more simple.<br />
<br />
====Client ID mapping====<br />
<br />
{{Filename|/etc/idmapd.conf}} needs to be edited on all clients '''and the Domain entry should be identical to the one on the server'''. Example:<br />
[General]<br />
<br />
Verbosity = 1<br />
Pipefs-Directory = /var/lib/nfs/rpc_pipefs<br />
'''Domain = archlinux.org'''<br />
<br />
[Mapping]<br />
<br />
Nobody-User = nobody<br />
Nobody-Group = nobody<br />
<br />
[Translation]<br />
Method = nsswitch<br />
<br />
{{note | On a client only setup make sure rpc.idmapd is running. The nfs-common daemon usually auto-detects whether rpc.idmapd has to be started, but it might fail if there aren't any nfs4 mount entries in {{Filename|/etc/fstab}} or if {{Filename|/etc/exports}} is empty (which both might be the case if you are using [[autofs]] to mount the nfs4 shares).<br />
In this case set '''NEED_IDMAPD&#61;&quot;yes&quot;''' in {{Filename|/etc/conf.d/nfs-common.conf}}. }}<br />
<br />
====/etc/hosts.allow====<br />
You will need to allow rpcbind for the server's ip:<br />
rpcbind: 192.168.0.100/255.255.255.255<br />
<br />
====Mounting the partitions on the client====<br />
On the client, to mount the NFSv4 partition:<br />
Make sure that nfs module is loaded. (lsmod | grep nfs). If not execute the next command "modprobe nfs"<br />
# /etc/rc.d/rpcbind start<br />
# /etc/rc.d/nfs-common start<br />
# mount -t nfs4 server:/ /mnt/server/<br />
# mount -t nfs4 server:/music /mnt/music/<br />
# mount -t nfs4 server:/john /mnt/john<br />
Replacing 'server' with the hostname or IP address of your NFS server and of course 'server', 'music' and 'john' with the names of whatever directories you exported on the server.<br />
{{note|the root of the path on the server is the NFS root specified; all paths must be specified relative to it.}}<br />
<br />
If you want the NFS volumes to mount automatically on bootup, add them to {{Filename|fstab}}. For example:<br />
server:/ /mnt/server nfs4 async,user 0 0<br />
Remember to add netfs in the daemons array at /etc/rc.conf in order to mount nfs volumes at boot.<br />
<br />
===Client &amp; Server: Time Synchronization===<br />
In order for NFS to function properly, both server and client must have closely matching time values. If the clocks on the clients differ from the server too much, then basic functions like file copy operations may hang for a very long time leaving the system unusable until they resume. The clocks do not have to match to micro/nano second accuracies, but ideally they should be within 1 second of each other. <br />
<br />
The [[NTP]] system is recommended to sync both the server and the clients to the highly accurate NTP servers available on the Internet. For a small system like a home network, the ntpdate utility may be used to sync both servers and clients to the same time. For a larger installation, it may be desirable to install an OpenNTP server (see [[NTP]]) onto the same machine acting as the NFS server, and then all clients on the network would sync time values from the server. This has the advantage of lowering the stress on the external NTP servers, and in assuring that the NFS clients will use the exact time that the NFS server has, even if the NFS server experiences some drift.<br />
<br />
==Troubleshooting==<br />
''Common problems and how to overcome them''<br />
<br />
===messages.log contains "nfsdopenone: Opening /proc/net/rpc/nfs4.nametoid/channel failed: errno 2 (No such file or directory)"===<br />
Add 'nfsd' to /etc/rc.conf modules array (NOTE: you may need to add "Verbosity = 3" to /etc/idmapd.conf and restart the services above to receive the error)<br />
<br />
===exportfs: /etc/exports:2: syntax error: bad option list===<br />
Delete all space from the option list in /etc/exports<br />
<br />
===mount.nfs4: No such device===<br />
Check that you have loaded nfs module<br />
lsmod | grep nfs<br />
and if previous returns empty or only nfsd-stuff, do<br />
modprobe nfs<br />
<br />
===mount.nfs4: access denied by server while mounting===<br />
Check that the permissions on your client's folder are correct ('755' worked for me --[[User:Zenlord|Zenlord]] 12:01, 7 May 2010 (EDT))</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH&diff=138383OpenSSH2011-04-25T22:23:37Z<p>Sironitomas: /* Step 2: Configure your Browser (or other programs) */</p>
<hr />
<div>[[Category:Daemons and system services (English)]]<br />
{{i18n|SSH}}<br />
[[pl:SSH]]<br />
[[fr:ssh]]<br />
<br />
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.<br />
<br />
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; file transfer can be accomplished using the associated SFTP or SCP protocols.<br />
<br />
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an ''sshd'' daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
== Installing OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configuring SSH ==<br />
===Client===<br />
The SSH client configuration file can be found and edited in {{Filename|/etc/ssh/ssh_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
It is recommended to change the Protocol line into this:<br />
Protocol 2<br />
<br />
That means that only Protocol 2 will be used, since Protocol 1 is considered somewhat insecure.<br />
<br />
===Daemon===<br />
The SSH daemon configuration file can be found and edited in {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
To allow access only for some users add this line:<br />
AllowUsers user1 user2<br />
<br />
You might want to change some lines so that they look as following:<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
You could also uncomment the BANNER option and edit {{Filename|/etc/issue}} for a nice welcome message.<br />
<br />
{{Tip| You may want to change the default port from 22 to any higher port (see [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
Even though the port ssh is running on could be detected by using a port-scanner like nmap, changing it will reduce the number of log entries caused by automated authentication attempts.<br />
<br />
{{Tip| Disabling password logins entirely may also increase security, since each user with access to the server will need to create ssh keys. (see [http://wiki.archlinux.org/index.php/Using_SSH_Keys Using SSH Keys]).}}<br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no}}<br />
<br />
===Allowing others in===<br />
{{Box Note | You have to adjust this file to remotely connect to your machine since the file is empty by default}}<br />
<br />
To let other people ssh to your machine you need to adjust {{Filename|/etc/hosts.allow}}, add the following:<br />
<br />
<pre><br />
# let everyone connect to you<br />
sshd: ALL<br />
<br />
# OR you can restrict it to a certain ip<br />
sshd: 192.168.0.1<br />
<br />
# OR restrict for an IP range<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# OR restrict for an IP match<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Now you should check your {{Filename|/etc/hosts.deny}} for the following line and make sure it looks like this:<br />
ALL: ALL<br />
<br />
That's it. You can SSH out and others should be able to SSH in :).<br />
<br />
To start using the new configuration, restart the daemon (as root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Managing SSHD Daemon ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Connecting to the server==<br />
To connect to a server, run:<br />
$ ssh -p port user@server-address<br />
<br />
= Tips and Tricks =<br />
<br />
== Encrypted Socks Tunnel ==<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you don't have to remember your IP-address.<br />
<br />
=== Step 1: Start the Connection ===<br />
You only have to execute this single command in your favorite terminal to start the connection:<br />
$ ssh -ND 4711 user@host<br />
where {{Codeline|"user"}} is your username at the SSH server running at the {{Codeline|"host"}}. It will ask for your password, and then you're connected! The {{Codeline|"N"}} flag disables the interactive prompt, and the {{Codeline|"D"}} flag specifies the local port on which to listen on (you can choose any port number if you want).<br />
<br />
One way to make this easier is to put an alias line in your {{Filename|~/.bashrc}} file as following:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
It's nice to add the verbose {{Codeline|"-v"}} flag, because then you can verify that it's actually connected from that output. Now you just have to execute the {{Codeline|"sshtunnel"}} command :)<br />
<br />
=== Step 2: Configure your Browser (or other programs) ===<br />
<br />
The above step is completely useless if you don't configure your web browser (or other programs) to use this newly created socks tunnel. Since the current version of SSH supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Edit &rarr; Preferences &rarr; Advanced &rarr; Network &rarr; Connection &rarr; Setting'':<br />
: Check the ''"Manual proxy configuration"'' radio button, and enter "localhost" in the ''"SOCKS host"'' text field, and then enter your port number in the next text field (I used 4711 above).<br />
<br />
Firefox does not automatically make DNS requests through the socks tunnel. This potential privacy concern can be mitigated by the following steps:<br />
<br />
# Type about:config into the Firefox location bar.<br />
# Search for network.proxy.socks_remote_dns<br />
# Set the value to true.<br />
# Restart the browser.<br />
<br />
* For Chromium: You can set the SOCKS settings as enviroment variables or as command line options. I recommend to add one of the following functions to your {{Filename|.bashrc}}:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
OR<br />
function secure_chromium {<br />
port=4711<br />
chromium --proxy-server="socks://localhost:$port" &<br />
exit<br />
}<br />
<br />
Now open a terminal and just do:<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
== X11 Forwarding ==<br />
<br />
To run graphical programs through a SSH connection you can enable X11 forwarding. An option needs to be set in the configuration files on the server and client (here "client" means your (desktop) machine your X11 Server runs on, and you will run X applications on the "server").<br />
<br />
Install xorg-xauth on the server:<br />
# pacman -S xorg-xauth<br />
<br />
* Enable the '''AllowTcpForwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Enable the '''X11Forwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Set the '''X11DisplayOffset''' option in {{Filename|sshd_config}} on the '''server''' to 10.<br />
* Enable the '''X11UseLocalhost''' option in {{Filename|sshd_config}} on the '''server'''.<br />
<br />
<br />
* Enable the '''ForwardX11''' option in {{Filename|ssh_config}} on the '''client'''.<br />
<br />
To use the forwarding, log on to your server through ssh:<br />
# ssh -X -p port user@server-address<br />
If you receive errors trying to run graphical applications try trusted forwarding instead:<br />
# ssh -Y -p port user@server-address<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
# xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
$ xhost +<br />
<br />
the above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. Type "man xhost" for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. Firefox is an example. Either close running Firefox or use the following start parameter to start a remote instance on the local machine<br />
$ firefox -no-remote<br />
<br />
== Speed up SSH ==<br />
You can make all sessions to the same host use a single connection, which will greatly speed up subsequent logins, by adding those line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
Changing the ciphers used by SSH to less cpu-demanding ones can improve speed. In this aspect, the best choices are arcfour and blowfish-cbc. '''Please do not do this unless you know what you are doing; arcfour has a number of known weaknesses'''. To use them, run SSH with the {{Codeline|"c"}} flag, like this:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
To use them permanently, add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Another option to improve speed is to enable compression with the {{Codeline|"C"}} flag. A permanent solution is to add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
Login time can be shorten by using the {{Codeline|"4"}} flag, which bypasses IPv6 lookup. This can be made permanent by adding this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Another way of making these changes permanent is to create an alias in {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
<br />
=== Trouble Shooting ===<br />
<br />
make sure your DISPLAY string is resolveable on the remote end:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
can be fixed by adding localhost to {{Filename|/etc/hosts}}.<br />
<br />
== Mounting a Remote Filesystem with SSHFS ==<br />
<br />
Install sshfs<br />
# pacman -S sshfs<br />
<br />
Load the Fuse module<br />
# modprobe fuse<br />
Add fuse to the ''modules'' array in {{Filename|/etc/rc.conf}} to load it on each system boot.<br />
<br />
Mount the remote folder using sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
The command above will cause the folder /tmp on the remote server to be mounted as ~/remote_folder on the local machine. Copying any file to this folder will result in transparent copying over the network using SFTP. Same concerns direct file editing, creating or removing.<br />
<br />
When we’re done working with the remote filesystem, we can unmount the remote folder by issuing:<br />
# fusermount -u ~/remote_folder<br />
<br />
If we work on this folder on a daily basis, it is wise to add it to the {{Filename|/etc/fstab}} table. This way is can be automatically mounted upon system boot or mounted manually (if {{Codeline|noauto}} option is chosen) without the need to specify the remote location each time. Here is a sample entry in the table:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
== Keep Alive ==<br />
<br />
Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to {{Filename|~/.ssh/config}} or to {{Filename|/etc/ssh/ssh_config}} on the client.<br />
<br />
ServerAliveInterval 120<br />
<br />
This will send a "keep alive" signal to the server every 120 seconds.<br />
<br />
Conversely, to keep incoming connections alive, you can set<br />
<br />
ClientAliveInterval 120<br />
<br />
(or some other number greater than 0) in {{Filename|/etc/ssh/sshd_config}} on the server.<br />
<br />
== Save connection data in .ssh/config ==<br />
<br />
Whenever you want to connect to a server, you usually have to type at least its address and your username. To save that typing work for servers you regularly connect to, you can use the {{Filename|$HOME/.ssh/config}} file as shown in the following example:<br />
<br />
{{File|name=$HOME/.ssh/config|content=<br />
<br />
Host myserver<br />
HostName 123.123.123.123<br />
Port 12345<br />
User bob<br />
Host other_server<br />
HostName test.something.org<br />
User alice<br />
CheckHostIP no<br />
Cipher blowfish<br />
}}<br />
<br />
Now you can simply connect to the server by using the name you specified:<br />
<br />
$ ssh myserver<br />
<br />
To see a complete list of the possible options, check out ssh_config's manpage on your system or the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config ssh_config documentation] on the official website.<br />
<br />
= Troubleshooting =<br />
<br />
== Connection Refused Problem ==<br />
<br />
=== Is SSH running and listening? ===<br />
<br />
netstat -tnlp | grep ssh<br />
<br />
If the above command doesn't display anything, then SSH is NOT running. Check <code>/var/log/messages</code> for errors etc.<br />
<br />
=== Are there firewall rules blocking the connection? ===<br />
<br />
Flush your iptables rules to make sure they are not interfering:<br />
<br />
/etc/rc.d/iptables stop<br />
<br />
or:<br />
<br />
iptables -P INPUT ACCEPT<br />
iptables -P OUTPUT ACCEPT<br />
iptables -F INPUT<br />
iptables -F OUTPUT<br />
<br />
=== Have you allowed SSH in hosts.allow? ===<br />
<br />
Double check you have done [[#Allowing_others_in|this section]] correctly.<br />
<br />
=== Is the traffic even getting to your computer? ===<br />
<br />
Start a traffic dump on the computer you're having problems with:<br />
<br />
tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you don't see any output when you attempt to connect, then something outside of your computer is blocking the traffic (eg, hardware firewall, NAT router etc)<br />
<br />
= See Also =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://webssh.cz.cc Using your browser as SSH client]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=GNOME_(Espa%C3%B1ol)&diff=136999GNOME (Español)2011-04-12T03:30:28Z<p>Sironitomas: Created page with "{{i18n|GNOME 3}} Category:Desktop environments (Español) Category:HOWTOs (Español) {{Article summary start}} {{Article summary text|GNOME 3 provee un escritorio moder..."</p>
<hr />
<div>{{i18n|GNOME 3}}<br />
<br />
[[Category:Desktop environments (Español)]]<br />
[[Category:HOWTOs (Español)]]<br />
<br />
{{Article summary start}}<br />
{{Article summary text|GNOME 3 provee un escritorio moderno, reescrito desde base, usando GTK3+.}}<br />
{{Article summary heading|Resumen}}<br />
{{Article summary text|{{Resumen de la interfaz grafica de usuario}}}}<br />
{{Article summary end}}<br />
<br />
Para GNOME 3, el Proyecto GNOME ha empezado desde base y ha creado un escritorio moderno, completamente nuevo diseñado para las tecnologías de los usuarios de hoy. En GNOME 3:<br />
* Hay fuente y tema visual nuevo y moderno por defecto<br />
* La vista de actividades que provee una forma facil de acceder a todas tus ventanas y aplicaciones<br />
* Servicios de mensajería de escritorio integrados<br />
* Paneles de sistema y notificaciones mas discretos y eficientes<br />
* Característica de búsqueda rápida de Actividades.<br />
* Una nueva aplicación de Configuración del Sistema<br />
<br />
[mas detalles en el sitio [http://www.gnome3.org/ GNOME3]]<br />
<br />
== Introducción ==<br />
<br />
GNOME3 comes with '''two''' interfaces, '''gnome-shell''' (the new, standard layout) and '''fallback''' mode. gnome-session will automatically detect if your computer is capable to run gnome-shell and it would start the fallback mode if not. <br />
<br />
'''Fallback''' mode is very much alike the GNOME 2.x layout (while using gnome-panel and metacity, instead of gnome-shell and Mutter).<br />
<br />
If you are on fallback mode you can still change the window manager with your preferred one.<br />
<br />
== Upgrade from the current gnome 2.32 ==<br />
<br />
Enable '''testing''' repo. <br />
<br />
Edit /etc/pacman.conf and '''un'''comment testing.<br />
<br />
{{Warning|It's very important for the new repo to be on the '''top''', otherwise pacman will '''not''' upgrade GNOME}}<br />
<br />
#testing uncommented<br />
[testing]<br />
Include = /etc/pacman.d/mirrorlist<br />
<br />
<br />
{{Warning|The session might crash during update and is recommended running the update command in a screen session, from another DE or WM or from tty}}<br />
<br />
# pacman -Syu <br />
<br />
'''Important''': You will end up with a system that has GNOME 3.x '''fallback''' mode. To install the new shell:<br />
<br />
# pacman -S gnome-shell<br />
<br />
== Installing to a new system ==<br />
<br />
Enable testing in the same way as above.<br />
<br />
# pacman -Syu testing/gnome<br />
<br />
Para aplicaciones adicionales<br />
<br />
# pacman -Syu testing/gnome-extra<br />
<br />
===Modulos y demonios que GNOME necesita===<br />
<br />
El escritorio GNOME requiere un demonio, '''DBUS''' para una operacion correcta<br />
<br />
Para iniciar el demonio DBUS<br />
# /etc/rc.d/dbus start<br />
<br />
O agrega estos demonios a el arreglo '''DAEMONS''' en {{Filename|/etc/[[rc.conf]]}} asi estos inician de forma automatica en el arranque. <br />
<br />
DAEMONS=(syslog-ng '''dbus''' network crond)<br />
<br />
'''GVFS''' allows the mounting of virtual file systems (e.g. file systems over FTP or SMB) to be used by other applications, including the GNOME file manager Nautilus. This is done with the use of '''FUSE''': a user space virtual file system layer kernel module.<br />
<br />
To load the FUSE kernel module:<br />
# modprobe fuse<br />
<br />
Or add the module to the '''MODULES''' array in {{Filename|/etc/rc.conf}} so they will load at boot up, e.g.:<br />
<br />
MODULES=('''fuse''' usblp)<br />
<br />
{{Note|FUSE is a kernel module, not a daemon.}}<br />
<br />
===Running GNOME===<br />
<br />
For a better desktop integration is recommended '''GDM'''.<br />
# pacman -S gdm<br />
<br />
Check out [[Display_Manager]] to learn how to start it correctly.<br />
<br />
If you prefer to start it from console, add the following line to your {{Filename|~/.xinitrc}} file, making sure it's the last line and the only one that starts with ''exec'' (see [[xinitrc]]):<br />
exec ck-launch-session gnome-session<br />
<br />
Now GNOME will start when you enter the following command:<br />
$ startx<br />
<br />
== Using the shell ==<br />
<br />
See https://live.gnome.org/GnomeShell/CheatSheet<br />
<br />
== Customization ==<br />
=== Using Gnome-tweak-tool ===<br />
<br />
# pacman -S gnome-tweak-tool<br />
<br />
This tool can customize fonts, themes and some other useful settings like action when lid is closed.<br />
<br />
A good customization tutorial is http://blog.fpmurphy.com/2011/03/customizing-the-gnome-3-shell.html which explores the power of gsettings<br />
<br />
=== Changing the GTK3 theme using settings.ini ===<br />
<br />
Similar to {{Filename|~/.gtkrc-2.0}} for GTK2+ it is possible to set the GTK3 (Gnome 3) theme via {{Filename|${XDG_CONFIG_HOME}/gtk-3.0/settings.ini}}. By default {{Filename|${XDG_CONFIG_HOME} }} is interpreted as {{Filename|~/.config}}.<br />
<br />
Example:<br />
<br />
[Settings]<br />
gtk-theme-name = Adwaita<br />
gtk-fallback-icon-theme = gnome<br />
<br />
It may be necessary to restart one's DE or WM for the settings to be applied.<br />
<br />
<br />
=== Solution for missing "Startup Programs" tool ===<br />
You can use .config dir in your home directory to create a autostart folder. <br />
<br />
$ mkdir ~/.config/autostart<br />
<br />
And inside put your programm.desktop files with the following scheme inside:<br />
(example program is empathy ~/.config/autostart/empathy.desktop)<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Exec=empathy<br />
Hidden=false<br />
X-GNOME-Autostart-enabled=true<br />
Name[de_DE]= <br />
Name=Empathy messaging<br />
Comment[de_DE]=<br />
Comment=<br />
<br />
<br />
Next time you log in to gnome3 program will starts automatic.<br />
<br />
== Enabling fallback mode==<br />
<br />
Your session would start automatically to fallback mode if gnome-shell is not present. If you want to enable it while having gnome-shell installed, open gnome-control-center. Open System Info > Graphics. Change ''Forced Fallback Mode'' to ''ON''.<br />
<br />
== Enabling hidden features ==<br />
<br />
Gnome 3.0 hides a lot of useful options and you have to use '''dconf-editor''' to customize them. <br />
<br />
== How to shutdown through the Status menu ==<br />
<br />
For now, the Shutdown option seems to be hidden if the user presses the Status menu on the upper right. If you want to shutdown your system through the Status menu, click on it and then press the '''Alt''' button. The "'''Suspend'''" option will instantly turn into "Power off...", as long as you press the Alt button, which will allow you to properly shutdown your system.<br />
<br />
== Enabling integrated messaging ==<br />
<br />
Empathy, the engine behind the integrated messaging, and all of the system settings based on your messaging accounts will not show up unless the '''telepathy''' group of packages or at least one of the backends ('''telepathy-gabble''', or '''telepathy-haze''', for example) is installed. These are not included in the default Arch GNOME installs and the Empathy interface doesn't give a nice error message, it just fails to work silently. You can install them:<br />
<br />
# pacman -S telepathy<br />
<br />
== Enabling extensions ==<br />
<br />
Gnome Shell can be customised to an extent with extensions that have been written by others. These provide functionality like having a dock that is always present, and being able to change the shell theme. More details on the functionality of currently available extensions is given [http://www.webupd8.org/2011/04/gnome-shell-extensions-additional.html here] You can use the [http://aur.archlinux.org/packages.php?ID=47501 gnome-shell-extensions-git] package in the AUR to install them. Restart Gnome to enable them.<br />
<br />
If installing the extensions causes Gnome to stop working then you must remove the user-theme extension and and the auto-move-windows extension from their installation directory (could be in ~/.local/share/gnome-shell/extensions or /usr/share/gnome-shell/extensions or /usr/local/share/gnome-shell/extensions). Removing or adding extensions to these directories will remove or install them form the system. More details on Gnome Shell extensions are available [https://live.gnome.org/GnomeShell/Extensions here].<br />
<br />
== Troubleshooting ==<br />
=== My GTK2+ apps show segfaults and won't start ===<br />
<br />
That usually happens when '''oxygen-gtk''' is installed. That theme conflicts somehow with GNOME 3's or/and GTK3 settings and when it has been set as a GTK2 theme, the GTK2 apps segfault with errors like:<br />
<br />
<pre> (firefox-bin:14345): GLib-GObject-WARNING **: invalid (NULL) pointer instance<br />
<br />
(firefox-bin:14345): GLib-GObject-CRITICAL **: g_signal_connect_data: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed<br />
<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_screen_get_default_colormap: assertion `GDK_IS_SCREEN (screen)' failed<br />
<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_colormap_get_visual: assertion `GDK_IS_COLORMAP (colormap)' failed<br />
<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_screen_get_default_colormap: assertion `GDK_IS_SCREEN (screen)' failed<br />
<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_screen_get_root_window: assertion `GDK_IS_SCREEN (screen)' failed<br />
<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_screen_get_root_window: assertion `GDK_IS_SCREEN (screen)' failed<br />
<br />
(firefox-bin:14345): Gdk-CRITICAL **: IA__gdk_window_new: assertion `GDK_IS_WINDOW (parent)' failed<br />
Segmentation fault<br />
</pre><br />
<br />
The current "workaround" is to '''remove''' '''oxygen-gtk''' from the system completely and set another theme for your apps.</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH_(Espa%C3%B1ol)&diff=135705OpenSSH (Español)2011-04-02T20:56:15Z<p>Sironitomas: /* Paso 2: Configurar tu navegador (u otros programas) */</p>
<hr />
<div>[[Category:Español]]<br />
{{i18n|SSH}}<br />
<br />
'''S'''ecure '''Sh'''ell o '''SSH''' es un protocolo de red que permite el intercambio de datos sobre un canal seguro entre dos computadoras. SSH usa técnicas de cifrado que hacen que la información que viaja por el medio de comunicación vaya de manera no legible y ninguna tercera persona pueda descubrir el usuario y contraseña de la conexión ni lo que se escribe durante toda la sesión. SSH usa criptografía de clave pública para autenticar el equipo remoto y permitir al mismo autenticar al usuario si es necesario.<br />
<br />
Además de la conexión a otros dispositivos, SSH nos permite copiar datos de forma segura (tanto ficheros sueltos como simular sesiones FTP cifradas), gestionar claves RSA para no escribir claves al conectar a los dispositivos y pasar los datos de cualquier otra aplicación por un canal seguro tunelizado mediante SSH.<br />
<br />
Un servidor SSH, por defecto, escucha el puerto TCP 22. Un programa cliente de SSH es utilizado generalmente para establecer conexiones a un demonio ''sshd'' que acepta conexiones remotas. Ambos se encuentran comúnmente en los sistemas operativos más modernos, incluyendo Mac OS X, Linux, Solaris y OpenVMS. Existen versiones propietarias, freeware y open-source de varios niveles de complejidad y exhaustividad.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) es un conjunto de programas de computadora que proveen una sesión de comunicación encriptada en una red informática que utiliza el protocolo SSH. Fue creado como una alternativa de código abierto al software propietario ofrecido por by SSH Communications Security. OpenSSH es desarrollado como parte del proyecto OpenBSD, que está a cargo de Theo de Raadt.<br />
<br />
OpenSSH es confundido a veces con OpenSSL por la similitud de nombre, sin embargo, los proyectos tienen objetivos distintos y están desarrollados por equipos diferentes.<br />
<br />
== Instalando OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configurando SSH ==<br />
===Cliente===<br />
El archivo de configuración del cliente SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh_config}}<br />
<br />
Un ejemplo de configuración: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
Se recomiendo cambiar la linea Protocol a esta<br />
Protocol 2<br />
<br />
Quiere decir que solo se utilizará Protocol 2 , ya que Protocol 1 es considerado un tanto inseguro.<br />
<br />
===Demonio(daemon)===<br />
El archivo de configuración del demonio SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
Un ejemplo de confuguración: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
Para permitir el acceso sólo a algunos usuarios añadir esta línea:<br />
AllowUsers user1 user2<br />
<br />
Es posible que desee cambiar algunas líneas para que se vieran de la siguiente manera:<br />
<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
También puede descomentar la opción BANNER y editar {{Filename|/etc/issue}} para un mensaje de bienvenida agradable.<br />
<br />
{{Tip| Es posible que desee cambiar el puerto por defecto de 22 a cualquier puerto superior (ver [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
A pesar de que el puerto ssh que esta siendo ejecutado puede ser detectado utilizando un port-scanner o escáner de puertos como nmap, cambiarlo reducirá el número de intentos de autenticación causados por intentos de autificación automáticos. <br />
<br />
===Restringiendo el acceso===<br />
{{Box Note | Tienes que ajustar este archivo para conectarse remotamente a la máquina ya que está vacío de forma predeterminada}}<br />
<br />
Para permitir a otra gente entrar a tu equipo necesitas realizar unos cambios a {{Filename|/etc/hosts.allow}}, añadiendo lo siguiente:<br />
<br />
<pre><br />
# que todo el mundo pueda conectarse<br />
sshd: ALL<br />
<br />
# O restringirlo a una cierta IP<br />
sshd: 192.168.0.1<br />
<br />
# O restringirlo a un rago de IPs<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# O restringir una coincidencia IP<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Ahora deberías revisar tu {{Filename|/etc/hosts.deny}} para la siguiente línea y asegurarte de que tega este aspecto:<br />
ALL: ALL<br />
<br />
Eso es todo. Puedes conectarte mediante SSH hacia algun equipo asi como tambien permitir a otros conectarse a tu equipo :).<br />
<br />
Para comenzar a usar la nueva configuración, reinicia el demonio (como root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Gestion del Demonio SSHD ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Conectandose a el servidor==<br />
Para conectarse a un servidor, ejecuta:<br />
$ ssh -p port user@server-address<br />
<br />
= Trucos y sugerencias =<br />
<br />
== Túneles cifrados ==<br />
Este tipo de conexión es muy útil para usuarios de equipos portátiles conectados a varias conexiones inalámbricas no seguras. Lo unico que necesitas es un servidor SSH corriendo en algún lugar seguro, como tu casa o tu trabajo. Puede ser útil usar un servicio de DNS dinámico como DynDNS para no tener que recordar la dirección IP a la que desea conectarse..<br />
<br />
=== Paso 1: Iniciar la conexión ===<br />
Lo único que tienes que hacer es ejecutar este comando en tu terminal favorita para iniciar la conexión:<br />
$ ssh -ND 4711 user@host<br />
donde {{Codeline|"user"}} es tu nombre de usuario en el servidor SSH que se está ejecutando en el {{Codeline|"host"}}. Preguntará por tu contraseña, y luego estarás conectado! La {{Codeline|"N"}} flag desactiva el prompt interactivo, y la D {{Codeline|"D"}} especifica el puerto local en el cual escuchar (puedes elegir el numero de puerto que quieras).<br />
<br />
Una forma de hacer esto facilmente es agregar un alias en tu archivo {{Filename|~/.bashrc}} como lo siguiente:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
<br />
=== Paso 2: Configurar tu navegador (u otros programas) ===<br />
<br />
El paso anterior es inútil si no configura el navegador web (u otros programas) para su uso con el túnel que acaba de crear. Debido a que la version actual de SSH soporta SOCKS4 y SOCKS5, se puede usar cualquiera de ellos.<br />
<br />
* Para Firefox: ''Editar &rarr; Preferencias &rarr; Avanzadas &rarr; Red &rarr; Conexión &rarr; Configuración'':<br />
: Marca la casilla ''"configuración manual de proxy"'' , y escribe "localhost" en el campo ''"servidor SOCKS "'' , y luego escribe tu número de puerto en el siguiente campo de texto.<br />
<br />
* Para Chromium: Se pueden setear las configuraciones de SOCKS como variables de entorno o como opciones en linea de comandos. Es recomendable agregar una de las siguientes funciones a {{Filename|.bashrc}}:<br />
function secure_chromium() {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
O<br />
function secure_chromium {<br />
port=4343<br />
chromium --proxy-server="socks://localhost:$port" &<br />
exit<br />
}<br />
<br />
Ahora solo queda abrir una terminal y escribir:<br />
$ secure_chromium<br />
<br />
Listo. Disfruta tu tunel seguro!<br />
<br />
== X11 Forwarding ==<br />
<br />
Para ejecutar programas gráficos a través de una conexión SSH puedes habilitarX11 forwarding. Esta opción deber ser especificada en el archivo de configuración del servidor y del cliente (entiéndase "cliente" como su equipo en el cual su servidor X11 es ejecutado, y correras aplicaciones X en el "servidor").<br />
<br />
Instalar xorg-xauth en el servidor:<br />
# pacman -S xorg-xauth<br />
<br />
* Habilitar la opción '''AllowTcpForwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11Forwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11DisplayOffset''' en {{Filename|sshd_config}} en el '''server''' to 10.<br />
* Habilitar la opción '''X11UseLocalhost''' en {{Filename|sshd_config}} en el '''server'''.<br />
<br />
<br />
* Habilitar la opción '''ForwardX11''' en {{Filename|ssh_config}} en el '''client'''.<br />
<br />
Para usar el forwarding, acceder al servidor a través de ssh:<br />
# ssh -X -p port user@server-address<br />
Si recibes errores intentando ejecutar aplicaciones gráficas prueba con trusted forwarding :<br />
# ssh -Y -p port user@server-address<br />
Ahora puedes iniciar cualquier aplicacion X en el servidor remoto, la salida será enviada a tu sesión local:<br />
# xclock<br />
<br />
== Acelerando SSH ==<br />
Al cambiar los valores utilizados por SSH a una menor demanda de recursos puede aumentar la velocidad de la CPU. En este aspecto, las mejores opciones son arcfour y blowfish-cbc. Para usarlas ejecuta SSH con el sufijo {{Codeline|"c"}} , de la siguiente manera:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
Para usarlo de forma permanente agrega esta línea bajo el abajo del host adecuado en {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Otra opción para mejorar la velocidad es habilitar la compresión con el sufijo {{Codeline|"C"}} . Una solución permanente es agregar esta linea debajo del host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
El tiempo de inicio de sesión puede ser acortado usando el sufijo {{Codeline|"4"}},que saltea la búsqueda IPv6. Esto puede hacerse permanente añadiendo esta línea bajo el host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Otra forma de hacer permanentes los cambios es crear un alias en {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
Por último, puedes hacer todas las sesiones con el mismo servidor utilizando una sola conexión, lo que agiliza el inicio de sesión posterior, añadiendo estas líneas a un host apropiado en {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
=== Solucionando problemas ===<br />
<br />
Asegurate de que la cadena DISPLAY apunte al servidor remoto:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
puede ser solucionado agregando localhost a {{Filename|/etc/hosts}}.<br />
<br />
== Montando un Sistema de archivos Remoto con SSHFS ==<br />
<br />
Instalando sshfs<br />
# pacman -S sshfs<br />
<br />
Cargar el módulo Fuse<br />
# modprobe fuse<br />
Agrega fuse a la cadena ''modules'' en {{Filename|/etc/rc.conf}} para ejecutarlo en cada inicio del sistema.<br />
<br />
Montar la carpeta remota usando sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
El comando anterior hará que la carpeta /tmp en el servidor remoto sea montada como ~/carpeta_remota en la maquina local. La copia de cualquier archivo en esta carpeta dará lugar a una copia transparente sobre la red red utilizando SFTP. La misma se refiere también a la edición directa de archivos, la creación o eliminación.<br />
<br />
Una vez finalizado el trabajo con el sistema de archivos remoto, podemos desmontar la carpeta remota mediante el siguiente comando:<br />
# fusermount -u ~/remote_folder<br />
<br />
Si trabajamos con esta carpeta a diario, es recomendable agregarlo a la tabla {{Filename|/etc/fstab}} . De esta forma se puede montar de forma automática en el arranque o manualmente (si se elige la opción {{Codeline|noauto}}), sin la necesidad de especificar la ubicación remota en todo momento. Aquí hay una entrada de ejemplo en la tabla:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
=== Mantener vivo ===<br />
<br />
Tu sesion ssh sera automáticamente desconectada si ésta se encuentra inactiva. Para mantener activa la conexión agrega esto a {{Filename|~/.ssh/config}} o a {{Filename|/etc/ssh/ssh_config}} en el cliente.<br />
<br />
ServerAliveInterval 5<br />
<br />
Esto enviará la señal "mantener vivo" al servidor cada 5 segundos. Usualmente puedes incrementar este intervalo, y usar 120.<br />
<br />
= Ver también =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH&diff=135704OpenSSH2011-04-02T20:54:49Z<p>Sironitomas: /* Step 2: Configure your Browser (or other programs) */</p>
<hr />
<div>[[Category:Daemons and system services (English)]]<br />
{{i18n|SSH}}<br />
[[pl:SSH]]<br />
[[fr:ssh]]<br />
<br />
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.<br />
<br />
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; file transfer can be accomplished using the associated SFTP or SCP protocols.<br />
<br />
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an ''sshd'' daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
== Installing OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configuring SSH ==<br />
===Client===<br />
The SSH client configuration file can be found and edited in {{Filename|/etc/ssh/ssh_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
It is recommended to change the Protocol line into this:<br />
Protocol 2<br />
<br />
That means that only Protocol 2 will be used, since Protocol 1 is considered somewhat insecure.<br />
<br />
===Daemon===<br />
The SSH daemon configuration file can be found and edited in {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
To allow access only for some users add this line:<br />
AllowUsers user1 user2<br />
<br />
You might want to change some lines so that they look as following:<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
You could also uncomment the BANNER option and edit {{Filename|/etc/issue}} for a nice welcome message.<br />
<br />
{{Tip| You may want to change the default port from 22 to any higher port (see [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
Even though the port ssh is running on could be detected by using a port-scanner like nmap, changing it will reduce the number of log entries caused by automated authentication attempts.<br />
<br />
{{Tip| Disabling password logins entirely may also increase security, since each user with access to the server will need to create ssh keys. (see [http://wiki.archlinux.org/index.php/Using_SSH_Keys Using SSH Keys]).}}<br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no}}<br />
<br />
===Allowing others in===<br />
{{Box Note | You have to adjust this file to remotely connect to your machine since the file is empty by default}}<br />
<br />
To let other people ssh to your machine you need to adjust {{Filename|/etc/hosts.allow}}, add the following:<br />
<br />
<pre><br />
# let everyone connect to you<br />
sshd: ALL<br />
<br />
# OR you can restrict it to a certain ip<br />
sshd: 192.168.0.1<br />
<br />
# OR restrict for an IP range<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# OR restrict for an IP match<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Now you should check your {{Filename|/etc/hosts.deny}} for the following line and make sure it looks like this:<br />
ALL: ALL<br />
<br />
That's it. You can SSH out and others should be able to SSH in :).<br />
<br />
To start using the new configuration, restart the daemon (as root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Managing SSHD Daemon ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Connecting to the server==<br />
To connect to a server, run:<br />
$ ssh -p port user@server-address<br />
<br />
= Tips and Tricks =<br />
<br />
== Encrypted Socks Tunnel ==<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you don't have to remember your IP-address.<br />
<br />
=== Step 1: Start the Connection ===<br />
You only have to execute this single command in your favorite terminal to start the connection:<br />
$ ssh -ND 4711 user@host<br />
where {{Codeline|"user"}} is your username at the SSH server running at the {{Codeline|"host"}}. It will ask for your password, and then you're connected! The {{Codeline|"N"}} flag disables the interactive prompt, and the {{Codeline|"D"}} flag specifies the local port on which to listen on (you can choose any port number if you want).<br />
<br />
One way to make this easier is to put an alias line in your {{Filename|~/.bashrc}} file as following:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
It's nice to add the verbose {{Codeline|"-v"}} flag, because then you can verify that it's actually connected from that output. Now you just have to execute the {{Codeline|"sshtunnel"}} command :)<br />
<br />
=== Step 2: Configure your Browser (or other programs) ===<br />
<br />
The above step is completely useless if you don't configure your web browser (or other programs) to use this newly created socks tunnel. Since the current version of SSH supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Edit &rarr; Preferences &rarr; Advanced &rarr; Network &rarr; Connection &rarr; Setting'':<br />
: Check the ''"Manual proxy configuration"'' radio button, and enter "localhost" in the ''"SOCKS host"'' text field, and then enter your port number in the next text field (I used 4711 above).<br />
<br />
* For Chromium: You can set the SOCKS settings as enviroment variables or as command line options. I recommend to add one of the following functions to your {{Filename|.bashrc}}:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
OR<br />
function secure_chromium {<br />
port=4343<br />
chromium --proxy-server="socks://localhost:$port" &<br />
exit<br />
}<br />
<br />
Now open a terminal and just do:<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
== X11 Forwarding ==<br />
<br />
To run graphical programs through a SSH connection you can enable X11 forwarding. An option needs to be set in the configuration files on the server and client (here "client" means your (desktop) machine your X11 Server runs on, and you will run X applications on the "server").<br />
<br />
Install xorg-xauth on the server:<br />
# pacman -S xorg-xauth<br />
<br />
* Enable the '''AllowTcpForwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Enable the '''X11Forwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Set the '''X11DisplayOffset''' option in {{Filename|sshd_config}} on the '''server''' to 10.<br />
* Enable the '''X11UseLocalhost''' option in {{Filename|sshd_config}} on the '''server'''.<br />
<br />
<br />
* Enable the '''ForwardX11''' option in {{Filename|ssh_config}} on the '''client'''.<br />
<br />
To use the forwarding, log on to your server through ssh:<br />
# ssh -X -p port user@server-address<br />
If you receive errors trying to run graphical applications try trusted forwarding instead:<br />
# ssh -Y -p port user@server-address<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
# xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
$ xhost +<br />
<br />
the above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. Type "man xhost" for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. Firefox is an example. Either close running Firefox or use the following start parameter to start a remote instance on the local machine<br />
$ firefox -no-remote<br />
<br />
== Speed up SSH ==<br />
You can make all sessions to the same host use a single connection, which will greatly speed up subsequent logins, by adding those line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
Changing the ciphers used by SSH to less cpu-demanding ones can improve speed. In this aspect, the best choices are arcfour and blowfish-cbc. '''Please do not do this unless you know what you are doing; arcfour has a number of known weaknesses'''. To use them, run SSH with the {{Codeline|"c"}} flag, like this:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
To use them permanently, add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Another option to improve speed is to enable compression with the {{Codeline|"C"}} flag. A permanent solution is to add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
Login time can be shorten by using the {{Codeline|"4"}} flag, which bypasses IPv6 lookup. This can be made permanent by adding this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Another way of making these changes permanent is to create an alias in {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
<br />
=== Trouble Shooting ===<br />
<br />
make sure your DISPLAY string is resolveable on the remote end:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
can be fixed by adding localhost to {{Filename|/etc/hosts}}.<br />
<br />
== Mounting a Remote Filesystem with SSHFS ==<br />
<br />
Install sshfs<br />
# pacman -S sshfs<br />
<br />
Load the Fuse module<br />
# modprobe fuse<br />
Add fuse to the ''modules'' array in {{Filename|/etc/rc.conf}} to load it on each system boot.<br />
<br />
Mount the remote folder using sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
The command above will cause the folder /tmp on the remote server to be mounted as ~/remote_folder on the local machine. Copying any file to this folder will result in transparent copying over the network using SFTP. Same concerns direct file editing, creating or removing.<br />
<br />
When we’re done working with the remote filesystem, we can unmount the remote folder by issuing:<br />
# fusermount -u ~/remote_folder<br />
<br />
If we work on this folder on a daily basis, it is wise to add it to the {{Filename|/etc/fstab}} table. This way is can be automatically mounted upon system boot or mounted manually (if {{Codeline|noauto}} option is chosen) without the need to specify the remote location each time. Here is a sample entry in the table:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
== Keep Alive ==<br />
<br />
Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to {{Filename|~/.ssh/config}} or to {{Filename|/etc/ssh/ssh_config}} on the client.<br />
<br />
ServerAliveInterval 120<br />
<br />
This will send a "keep alive" signal to the server every 120 seconds.<br />
<br />
Conversely, to keep incoming connections alive, you can set<br />
<br />
ClientAliveInterval 120<br />
<br />
(or some other number greater than 0) in {{Filename|/etc/ssh/sshd_config}} on the server.<br />
<br />
== Save connection data in .ssh/config ==<br />
<br />
Whenever you want to connect to a server, you usually have to type at least its address and your username. To save that typing work for servers you regularly connect to, you can use the {{Filename|$HOME/.ssh/config}} file as shown in the following example:<br />
<br />
{{File|name=$HOME/.ssh/config|content=<br />
<br />
Host myserver<br />
HostName 123.123.123.123<br />
Port 12345<br />
User bob<br />
Host other_server<br />
HostName test.something.org<br />
User alice<br />
CheckHostIP no<br />
Cipher blowfish<br />
}}<br />
<br />
Now you can simply connect to the server by using the name you specified:<br />
<br />
$ ssh myserver<br />
<br />
To see a complete list of the possible options, check out ssh_config's manpage on your system or the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config ssh_config documentation] on the official website.<br />
<br />
= Troubleshooting =<br />
<br />
== Connection Refused Problem ==<br />
<br />
=== Is SSH running and listening? ===<br />
<br />
netstat -tnlp | grep ssh<br />
<br />
If the above command doesn't display anything, then SSH is NOT running. Check <code>/var/log/messages</code> for errors etc.<br />
<br />
=== Are there firewall rules blocking the connection? ===<br />
<br />
Flush your iptables rules to make sure they are not interfering:<br />
<br />
/etc/rc.d/iptables stop<br />
<br />
or:<br />
<br />
iptables -P INPUT ACCEPT<br />
iptables -P OUTPUT ACCEPT<br />
iptables -F INPUT<br />
iptables -F OUTPUT<br />
<br />
=== Have you allowed SSH in hosts.allow? ===<br />
<br />
Double check you have done [[#Allowing_others_in|this section]] correctly.<br />
<br />
=== Is the traffic even getting to your computer? ===<br />
<br />
Start a traffic dump on the computer you're having problems with:<br />
<br />
tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you don't see any output when you attempt to connect, then something outside of your computer is blocking the traffic (eg, hardware firewall, NAT router etc)<br />
<br />
= See Also =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://webssh.cz.cc Using your browser as SSH client]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH&diff=135475OpenSSH2011-03-31T19:22:01Z<p>Sironitomas: /* Step 2: Configure your Browser (or other programs) */</p>
<hr />
<div>[[Category:Daemons and system services (English)]]<br />
{{i18n|SSH}}<br />
[[pl:SSH]]<br />
[[fr:ssh]]<br />
<br />
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.<br />
<br />
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; file transfer can be accomplished using the associated SFTP or SCP protocols.<br />
<br />
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an ''sshd'' daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
== Installing OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configuring SSH ==<br />
===Client===<br />
The SSH client configuration file can be found and edited in {{Filename|/etc/ssh/ssh_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
It is recommended to change the Protocol line into this:<br />
Protocol 2<br />
<br />
That means that only Protocol 2 will be used, since Protocol 1 is considered somewhat insecure.<br />
<br />
===Daemon===<br />
The SSH daemon configuration file can be found and edited in {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
To allow access only for some users add this line:<br />
AllowUsers user1 user2<br />
<br />
You might want to change some lines so that they look as following:<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
You could also uncomment the BANNER option and edit {{Filename|/etc/issue}} for a nice welcome message.<br />
<br />
{{Tip| You may want to change the default port from 22 to any higher port (see [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
Even though the port ssh is running on could be detected by using a port-scanner like nmap, changing it will reduce the number of log entries caused by automated authentication attempts.<br />
<br />
{{Tip| Disabling password logins entirely may also increase security, since each user with access to the server will need to create ssh keys. (see [http://wiki.archlinux.org/index.php/Using_SSH_Keys Using SSH Keys]).}}<br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no}}<br />
<br />
===Allowing others in===<br />
{{Box Note | You have to adjust this file to remotely connect to your machine since the file is empty by default}}<br />
<br />
To let other people ssh to your machine you need to adjust {{Filename|/etc/hosts.allow}}, add the following:<br />
<br />
<pre><br />
# let everyone connect to you<br />
sshd: ALL<br />
<br />
# OR you can restrict it to a certain ip<br />
sshd: 192.168.0.1<br />
<br />
# OR restrict for an IP range<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# OR restrict for an IP match<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Now you should check your {{Filename|/etc/hosts.deny}} for the following line and make sure it looks like this:<br />
ALL: ALL<br />
<br />
That's it. You can SSH out and others should be able to SSH in :).<br />
<br />
To start using the new configuration, restart the daemon (as root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Managing SSHD Daemon ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Connecting to the server==<br />
To connect to a server, run:<br />
$ ssh -p port user@server-address<br />
<br />
= Tips and Tricks =<br />
<br />
== Encrypted Socks Tunnel ==<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you don't have to remember your IP-address.<br />
<br />
=== Step 1: Start the Connection ===<br />
You only have to execute this single command in your favorite terminal to start the connection:<br />
$ ssh -ND 4711 user@host<br />
where {{Codeline|"user"}} is your username at the SSH server running at the {{Codeline|"host"}}. It will ask for your password, and then you're connected! The {{Codeline|"N"}} flag disables the interactive prompt, and the {{Codeline|"D"}} flag specifies the local port on which to listen on (you can choose any port number if you want).<br />
<br />
One way to make this easier is to put an alias line in your {{Filename|~/.bashrc}} file as following:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
It's nice to add the verbose {{Codeline|"-v"}} flag, because then you can verify that it's actually connected from that output. Now you just have to execute the {{Codeline|"sshtunnel"}} command :)<br />
<br />
=== Step 2: Configure your Browser (or other programs) ===<br />
<br />
The above step is completely useless if you don't configure your web browser (or other programs) to use this newly created socks tunnel. Since the current version of SSH supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Edit &rarr; Preferences &rarr; Advanced &rarr; Network &rarr; Connection &rarr; Setting'':<br />
: Check the ''"Manual proxy configuration"'' radio button, and enter "localhost" in the ''"SOCKS host"'' text field, and then enter your port number in the next text field (I used 4711 above).<br />
<br />
* For Chromium: You can set the SOCKS settings as enviroment variables or as command line options. I recommend to add one of the following lines to your .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
OR<br />
function secure_chromium {<br />
port=4343<br />
chromium --proxy-server="socks://localhost:$port" &<br />
exit<br />
}<br />
<br />
Now open a terminal and just do:<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
== X11 Forwarding ==<br />
<br />
To run graphical programs through a SSH connection you can enable X11 forwarding. An option needs to be set in the configuration files on the server and client (here "client" means your (desktop) machine your X11 Server runs on, and you will run X applications on the "server").<br />
<br />
Install xorg-xauth on the server:<br />
# pacman -S xorg-xauth<br />
<br />
* Enable the '''AllowTcpForwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Enable the '''X11Forwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Set the '''X11DisplayOffset''' option in {{Filename|sshd_config}} on the '''server''' to 10.<br />
* Enable the '''X11UseLocalhost''' option in {{Filename|sshd_config}} on the '''server'''.<br />
<br />
<br />
* Enable the '''ForwardX11''' option in {{Filename|ssh_config}} on the '''client'''.<br />
<br />
To use the forwarding, log on to your server through ssh:<br />
# ssh -X -p port user@server-address<br />
If you receive errors trying to run graphical applications try trusted forwarding instead:<br />
# ssh -Y -p port user@server-address<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
# xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
$ xhost +<br />
<br />
the above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. Type "man xhost" for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. Firefox is an example. Either close running Firefox or use the following start parameter to start a remote instance on the local machine<br />
$ firefox -no-remote<br />
<br />
== Speed up SSH ==<br />
You can make all sessions to the same host use a single connection, which will greatly speed up subsequent logins, by adding those line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
Changing the ciphers used by SSH to less cpu-demanding ones can improve speed. In this aspect, the best choices are arcfour and blowfish-cbc. '''Please do not do this unless you know what you are doing; arcfour has a number of known weaknesses'''. To use them, run SSH with the {{Codeline|"c"}} flag, like this:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
To use them permanently, add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Another option to improve speed is to enable compression with the {{Codeline|"C"}} flag. A permanent solution is to add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
Login time can be shorten by using the {{Codeline|"4"}} flag, which bypasses IPv6 lookup. This can be made permanent by adding this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Another way of making these changes permanent is to create an alias in {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
<br />
=== Trouble Shooting ===<br />
<br />
make sure your DISPLAY string is resolveable on the remote end:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
can be fixed by adding localhost to {{Filename|/etc/hosts}}.<br />
<br />
== Mounting a Remote Filesystem with SSHFS ==<br />
<br />
Install sshfs<br />
# pacman -S sshfs<br />
<br />
Load the Fuse module<br />
# modprobe fuse<br />
Add fuse to the ''modules'' array in {{Filename|/etc/rc.conf}} to load it on each system boot.<br />
<br />
Mount the remote folder using sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
The command above will cause the folder /tmp on the remote server to be mounted as ~/remote_folder on the local machine. Copying any file to this folder will result in transparent copying over the network using SFTP. Same concerns direct file editing, creating or removing.<br />
<br />
When we’re done working with the remote filesystem, we can unmount the remote folder by issuing:<br />
# fusermount -u ~/remote_folder<br />
<br />
If we work on this folder on a daily basis, it is wise to add it to the {{Filename|/etc/fstab}} table. This way is can be automatically mounted upon system boot or mounted manually (if {{Codeline|noauto}} option is chosen) without the need to specify the remote location each time. Here is a sample entry in the table:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
== Keep Alive ==<br />
<br />
Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to {{Filename|~/.ssh/config}} or to {{Filename|/etc/ssh/ssh_config}} on the client.<br />
<br />
ServerAliveInterval 120<br />
<br />
This will send a "keep alive" signal to the server every 120 seconds.<br />
<br />
Conversely, to keep incoming connections alive, you can set<br />
<br />
ClientAliveInterval 120<br />
<br />
(or some other number greater than 0) in {{Filename|/etc/ssh/sshd_config}} on the server.<br />
<br />
== Save connection data in .ssh/config ==<br />
<br />
Whenever you want to connect to a server, you usually have to type at least its address and your username. To save that typing work for servers you regularly connect to, you can use the {{Filename|$HOME/.ssh/config}} file as shown in the following example:<br />
<br />
{{File|name=$HOME/.ssh/config|content=<br />
<br />
Host myserver<br />
HostName 123.123.123.123<br />
Port 12345<br />
User bob<br />
Host other_server<br />
HostName test.something.org<br />
User alice<br />
CheckHostIP no<br />
Cipher blowfish<br />
}}<br />
<br />
Now you can simply connect to the server by using the name you specified:<br />
<br />
$ ssh myserver<br />
<br />
To see a complete list of the possible options, check out ssh_config's manpage on your system or the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config ssh_config documentation] on the official website.<br />
<br />
= Troubleshooting =<br />
<br />
== Connection Refused Problem ==<br />
<br />
=== Is SSH running and listening? ===<br />
<br />
netstat -tnlp | grep ssh<br />
<br />
If the above command doesn't display anything, then SSH is NOT running. Check <code>/var/log/messages</code> for errors etc.<br />
<br />
=== Are there firewall rules blocking the connection? ===<br />
<br />
Flush your iptables rules to make sure they are not interfering:<br />
<br />
/etc/rc.d/iptables stop<br />
<br />
or:<br />
<br />
iptables -P INPUT ACCEPT<br />
iptables -P OUTPUT ACCEPT<br />
iptables -F INPUT<br />
iptables -F OUTPUT<br />
<br />
=== Have you allowed SSH in hosts.allow? ===<br />
<br />
Double check you have done [[#Allowing_others_in|this section]] correctly.<br />
<br />
=== Is the traffic even getting to your computer? ===<br />
<br />
Start a traffic dump on the computer you're having problems with:<br />
<br />
tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you don't see any output when you attempt to connect, then something outside of your computer is blocking the traffic (eg, hardware firewall, NAT router etc)<br />
<br />
= See Also =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://webssh.cz.cc Using your browser as SSH client]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH_(Espa%C3%B1ol)&diff=135474OpenSSH (Español)2011-03-31T19:21:55Z<p>Sironitomas: /* Paso 2: Configurar tu navegador (u otros programas) */</p>
<hr />
<div>[[Category:Español]]<br />
{{i18n|SSH}}<br />
<br />
'''S'''ecure '''Sh'''ell o '''SSH''' es un protocolo de red que permite el intercambio de datos sobre un canal seguro entre dos computadoras. SSH usa técnicas de cifrado que hacen que la información que viaja por el medio de comunicación vaya de manera no legible y ninguna tercera persona pueda descubrir el usuario y contraseña de la conexión ni lo que se escribe durante toda la sesión. SSH usa criptografía de clave pública para autenticar el equipo remoto y permitir al mismo autenticar al usuario si es necesario.<br />
<br />
Además de la conexión a otros dispositivos, SSH nos permite copiar datos de forma segura (tanto ficheros sueltos como simular sesiones FTP cifradas), gestionar claves RSA para no escribir claves al conectar a los dispositivos y pasar los datos de cualquier otra aplicación por un canal seguro tunelizado mediante SSH.<br />
<br />
Un servidor SSH, por defecto, escucha el puerto TCP 22. Un programa cliente de SSH es utilizado generalmente para establecer conexiones a un demonio ''sshd'' que acepta conexiones remotas. Ambos se encuentran comúnmente en los sistemas operativos más modernos, incluyendo Mac OS X, Linux, Solaris y OpenVMS. Existen versiones propietarias, freeware y open-source de varios niveles de complejidad y exhaustividad.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) es un conjunto de programas de computadora que proveen una sesión de comunicación encriptada en una red informática que utiliza el protocolo SSH. Fue creado como una alternativa de código abierto al software propietario ofrecido por by SSH Communications Security. OpenSSH es desarrollado como parte del proyecto OpenBSD, que está a cargo de Theo de Raadt.<br />
<br />
OpenSSH es confundido a veces con OpenSSL por la similitud de nombre, sin embargo, los proyectos tienen objetivos distintos y están desarrollados por equipos diferentes.<br />
<br />
== Instalando OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configurando SSH ==<br />
===Cliente===<br />
El archivo de configuración del cliente SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh_config}}<br />
<br />
Un ejemplo de configuración: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
Se recomiendo cambiar la linea Protocol a esta<br />
Protocol 2<br />
<br />
Quiere decir que solo se utilizará Protocol 2 , ya que Protocol 1 es considerado un tanto inseguro.<br />
<br />
===Demonio(daemon)===<br />
El archivo de configuración del demonio SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
Un ejemplo de confuguración: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
Para permitir el acceso sólo a algunos usuarios añadir esta línea:<br />
AllowUsers user1 user2<br />
<br />
Es posible que desee cambiar algunas líneas para que se vieran de la siguiente manera:<br />
<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
También puede descomentar la opción BANNER y editar {{Filename|/etc/issue}} para un mensaje de bienvenida agradable.<br />
<br />
{{Tip| Es posible que desee cambiar el puerto por defecto de 22 a cualquier puerto superior (ver [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
A pesar de que el puerto ssh que esta siendo ejecutado puede ser detectado utilizando un port-scanner o escáner de puertos como nmap, cambiarlo reducirá el número de intentos de autenticación causados por intentos de autificación automáticos. <br />
<br />
===Restringiendo el acceso===<br />
{{Box Note | Tienes que ajustar este archivo para conectarse remotamente a la máquina ya que está vacío de forma predeterminada}}<br />
<br />
Para permitir a otra gente entrar a tu equipo necesitas realizar unos cambios a {{Filename|/etc/hosts.allow}}, añadiendo lo siguiente:<br />
<br />
<pre><br />
# que todo el mundo pueda conectarse<br />
sshd: ALL<br />
<br />
# O restringirlo a una cierta IP<br />
sshd: 192.168.0.1<br />
<br />
# O restringirlo a un rago de IPs<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# O restringir una coincidencia IP<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Ahora deberías revisar tu {{Filename|/etc/hosts.deny}} para la siguiente línea y asegurarte de que tega este aspecto:<br />
ALL: ALL<br />
<br />
Eso es todo. Puedes conectarte mediante SSH hacia algun equipo asi como tambien permitir a otros conectarse a tu equipo :).<br />
<br />
Para comenzar a usar la nueva configuración, reinicia el demonio (como root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Gestion del Demonio SSHD ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Conectandose a el servidor==<br />
Para conectarse a un servidor, ejecuta:<br />
$ ssh -p port user@server-address<br />
<br />
= Trucos y sugerencias =<br />
<br />
== Túneles cifrados ==<br />
Este tipo de conexión es muy útil para usuarios de equipos portátiles conectados a varias conexiones inalámbricas no seguras. Lo unico que necesitas es un servidor SSH corriendo en algún lugar seguro, como tu casa o tu trabajo. Puede ser útil usar un servicio de DNS dinámico como DynDNS para no tener que recordar la dirección IP a la que desea conectarse..<br />
<br />
=== Paso 1: Iniciar la conexión ===<br />
Lo único que tienes que hacer es ejecutar este comando en tu terminal favorita para iniciar la conexión:<br />
$ ssh -ND 4711 user@host<br />
donde {{Codeline|"user"}} es tu nombre de usuario en el servidor SSH que se está ejecutando en el {{Codeline|"host"}}. Preguntará por tu contraseña, y luego estarás conectado! La {{Codeline|"N"}} flag desactiva el prompt interactivo, y la D {{Codeline|"D"}} especifica el puerto local en el cual escuchar (puedes elegir el numero de puerto que quieras).<br />
<br />
Una forma de hacer esto facilmente es agregar un alias en tu archivo {{Filename|~/.bashrc}} como lo siguiente:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
<br />
=== Paso 2: Configurar tu navegador (u otros programas) ===<br />
<br />
El paso anterior es inútil si no configura el navegador web (u otros programas) para su uso con el túnel que acaba de crear. Debido a que la version actual de SSH soporta SOCKS4 y SOCKS5, se puede usar cualquiera de ellos.<br />
<br />
* Para Firefox: ''Editar &rarr; Preferencias &rarr; Avanzadas &rarr; Red &rarr; Conexión &rarr; Configuración'':<br />
: Marca la casilla ''"configuración manual de proxy"'' , y escribe "localhost" en el campo ''"servidor SOCKS "'' , y luego escribe tu número de puerto en el siguiente campo de texto.<br />
<br />
* Para Chromium: Se pueden setear las configuraciones de SOCKS como variables de entorno o como opciones en linea de comandos. Es recomendable agregar una de las siguientes lineas a .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
O<br />
function secure_chromium {<br />
port=4343<br />
chromium --proxy-server="socks://localhost:$port" &<br />
exit<br />
}<br />
<br />
Ahora solo queda abrir una terminal y escribir:<br />
$ secure_chromium<br />
<br />
Listo. Disfruta tu tunel seguro!<br />
<br />
== X11 Forwarding ==<br />
<br />
Para ejecutar programas gráficos a través de una conexión SSH puedes habilitarX11 forwarding. Esta opción deber ser especificada en el archivo de configuración del servidor y del cliente (entiéndase "cliente" como su equipo en el cual su servidor X11 es ejecutado, y correras aplicaciones X en el "servidor").<br />
<br />
Instalar xorg-xauth en el servidor:<br />
# pacman -S xorg-xauth<br />
<br />
* Habilitar la opción '''AllowTcpForwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11Forwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11DisplayOffset''' en {{Filename|sshd_config}} en el '''server''' to 10.<br />
* Habilitar la opción '''X11UseLocalhost''' en {{Filename|sshd_config}} en el '''server'''.<br />
<br />
<br />
* Habilitar la opción '''ForwardX11''' en {{Filename|ssh_config}} en el '''client'''.<br />
<br />
Para usar el forwarding, acceder al servidor a través de ssh:<br />
# ssh -X -p port user@server-address<br />
Si recibes errores intentando ejecutar aplicaciones gráficas prueba con trusted forwarding :<br />
# ssh -Y -p port user@server-address<br />
Ahora puedes iniciar cualquier aplicacion X en el servidor remoto, la salida será enviada a tu sesión local:<br />
# xclock<br />
<br />
== Acelerando SSH ==<br />
Al cambiar los valores utilizados por SSH a una menor demanda de recursos puede aumentar la velocidad de la CPU. En este aspecto, las mejores opciones son arcfour y blowfish-cbc. Para usarlas ejecuta SSH con el sufijo {{Codeline|"c"}} , de la siguiente manera:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
Para usarlo de forma permanente agrega esta línea bajo el abajo del host adecuado en {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Otra opción para mejorar la velocidad es habilitar la compresión con el sufijo {{Codeline|"C"}} . Una solución permanente es agregar esta linea debajo del host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
El tiempo de inicio de sesión puede ser acortado usando el sufijo {{Codeline|"4"}},que saltea la búsqueda IPv6. Esto puede hacerse permanente añadiendo esta línea bajo el host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Otra forma de hacer permanentes los cambios es crear un alias en {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
Por último, puedes hacer todas las sesiones con el mismo servidor utilizando una sola conexión, lo que agiliza el inicio de sesión posterior, añadiendo estas líneas a un host apropiado en {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
=== Solucionando problemas ===<br />
<br />
Asegurate de que la cadena DISPLAY apunte al servidor remoto:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
puede ser solucionado agregando localhost a {{Filename|/etc/hosts}}.<br />
<br />
== Montando un Sistema de archivos Remoto con SSHFS ==<br />
<br />
Instalando sshfs<br />
# pacman -S sshfs<br />
<br />
Cargar el módulo Fuse<br />
# modprobe fuse<br />
Agrega fuse a la cadena ''modules'' en {{Filename|/etc/rc.conf}} para ejecutarlo en cada inicio del sistema.<br />
<br />
Montar la carpeta remota usando sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
El comando anterior hará que la carpeta /tmp en el servidor remoto sea montada como ~/carpeta_remota en la maquina local. La copia de cualquier archivo en esta carpeta dará lugar a una copia transparente sobre la red red utilizando SFTP. La misma se refiere también a la edición directa de archivos, la creación o eliminación.<br />
<br />
Una vez finalizado el trabajo con el sistema de archivos remoto, podemos desmontar la carpeta remota mediante el siguiente comando:<br />
# fusermount -u ~/remote_folder<br />
<br />
Si trabajamos con esta carpeta a diario, es recomendable agregarlo a la tabla {{Filename|/etc/fstab}} . De esta forma se puede montar de forma automática en el arranque o manualmente (si se elige la opción {{Codeline|noauto}}), sin la necesidad de especificar la ubicación remota en todo momento. Aquí hay una entrada de ejemplo en la tabla:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
=== Mantener vivo ===<br />
<br />
Tu sesion ssh sera automáticamente desconectada si ésta se encuentra inactiva. Para mantener activa la conexión agrega esto a {{Filename|~/.ssh/config}} o a {{Filename|/etc/ssh/ssh_config}} en el cliente.<br />
<br />
ServerAliveInterval 5<br />
<br />
Esto enviará la señal "mantener vivo" al servidor cada 5 segundos. Usualmente puedes incrementar este intervalo, y usar 120.<br />
<br />
= Ver también =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH&diff=135473OpenSSH2011-03-31T19:20:57Z<p>Sironitomas: /* Step 2: Configure your Browser (or other programs) */</p>
<hr />
<div>[[Category:Daemons and system services (English)]]<br />
{{i18n|SSH}}<br />
[[pl:SSH]]<br />
[[fr:ssh]]<br />
<br />
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.<br />
<br />
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; file transfer can be accomplished using the associated SFTP or SCP protocols.<br />
<br />
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an ''sshd'' daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
== Installing OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configuring SSH ==<br />
===Client===<br />
The SSH client configuration file can be found and edited in {{Filename|/etc/ssh/ssh_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
It is recommended to change the Protocol line into this:<br />
Protocol 2<br />
<br />
That means that only Protocol 2 will be used, since Protocol 1 is considered somewhat insecure.<br />
<br />
===Daemon===<br />
The SSH daemon configuration file can be found and edited in {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
To allow access only for some users add this line:<br />
AllowUsers user1 user2<br />
<br />
You might want to change some lines so that they look as following:<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
You could also uncomment the BANNER option and edit {{Filename|/etc/issue}} for a nice welcome message.<br />
<br />
{{Tip| You may want to change the default port from 22 to any higher port (see [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
Even though the port ssh is running on could be detected by using a port-scanner like nmap, changing it will reduce the number of log entries caused by automated authentication attempts.<br />
<br />
{{Tip| Disabling password logins entirely may also increase security, since each user with access to the server will need to create ssh keys. (see [http://wiki.archlinux.org/index.php/Using_SSH_Keys Using SSH Keys]).}}<br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no}}<br />
<br />
===Allowing others in===<br />
{{Box Note | You have to adjust this file to remotely connect to your machine since the file is empty by default}}<br />
<br />
To let other people ssh to your machine you need to adjust {{Filename|/etc/hosts.allow}}, add the following:<br />
<br />
<pre><br />
# let everyone connect to you<br />
sshd: ALL<br />
<br />
# OR you can restrict it to a certain ip<br />
sshd: 192.168.0.1<br />
<br />
# OR restrict for an IP range<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# OR restrict for an IP match<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Now you should check your {{Filename|/etc/hosts.deny}} for the following line and make sure it looks like this:<br />
ALL: ALL<br />
<br />
That's it. You can SSH out and others should be able to SSH in :).<br />
<br />
To start using the new configuration, restart the daemon (as root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Managing SSHD Daemon ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Connecting to the server==<br />
To connect to a server, run:<br />
$ ssh -p port user@server-address<br />
<br />
= Tips and Tricks =<br />
<br />
== Encrypted Socks Tunnel ==<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you don't have to remember your IP-address.<br />
<br />
=== Step 1: Start the Connection ===<br />
You only have to execute this single command in your favorite terminal to start the connection:<br />
$ ssh -ND 4711 user@host<br />
where {{Codeline|"user"}} is your username at the SSH server running at the {{Codeline|"host"}}. It will ask for your password, and then you're connected! The {{Codeline|"N"}} flag disables the interactive prompt, and the {{Codeline|"D"}} flag specifies the local port on which to listen on (you can choose any port number if you want).<br />
<br />
One way to make this easier is to put an alias line in your {{Filename|~/.bashrc}} file as following:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
It's nice to add the verbose {{Codeline|"-v"}} flag, because then you can verify that it's actually connected from that output. Now you just have to execute the {{Codeline|"sshtunnel"}} command :)<br />
<br />
=== Step 2: Configure your Browser (or other programs) ===<br />
<br />
The above step is completely useless if you don't configure your web browser (or other programs) to use this newly created socks tunnel. Since the current version of SSH supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Edit &rarr; Preferences &rarr; Advanced &rarr; Network &rarr; Connection &rarr; Setting'':<br />
: Check the ''"Manual proxy configuration"'' radio button, and enter "localhost" in the ''"SOCKS host"'' text field, and then enter your port number in the next text field (I used 4711 above).<br />
<br />
* For Chromium: You can set the SOCKS settings as enviroment variables or as command line options. I recommend to add one of the following lines to your .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
OR<br />
function secure_chromium() {<br />
port=4343<br />
chromium --proxy-server="socks://localhost:$port" &<br />
exit<br />
}<br />
<br />
Now open a terminal and just do:<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
== X11 Forwarding ==<br />
<br />
To run graphical programs through a SSH connection you can enable X11 forwarding. An option needs to be set in the configuration files on the server and client (here "client" means your (desktop) machine your X11 Server runs on, and you will run X applications on the "server").<br />
<br />
Install xorg-xauth on the server:<br />
# pacman -S xorg-xauth<br />
<br />
* Enable the '''AllowTcpForwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Enable the '''X11Forwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Set the '''X11DisplayOffset''' option in {{Filename|sshd_config}} on the '''server''' to 10.<br />
* Enable the '''X11UseLocalhost''' option in {{Filename|sshd_config}} on the '''server'''.<br />
<br />
<br />
* Enable the '''ForwardX11''' option in {{Filename|ssh_config}} on the '''client'''.<br />
<br />
To use the forwarding, log on to your server through ssh:<br />
# ssh -X -p port user@server-address<br />
If you receive errors trying to run graphical applications try trusted forwarding instead:<br />
# ssh -Y -p port user@server-address<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
# xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
$ xhost +<br />
<br />
the above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. Type "man xhost" for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. Firefox is an example. Either close running Firefox or use the following start parameter to start a remote instance on the local machine<br />
$ firefox -no-remote<br />
<br />
== Speed up SSH ==<br />
You can make all sessions to the same host use a single connection, which will greatly speed up subsequent logins, by adding those line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
Changing the ciphers used by SSH to less cpu-demanding ones can improve speed. In this aspect, the best choices are arcfour and blowfish-cbc. '''Please do not do this unless you know what you are doing; arcfour has a number of known weaknesses'''. To use them, run SSH with the {{Codeline|"c"}} flag, like this:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
To use them permanently, add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Another option to improve speed is to enable compression with the {{Codeline|"C"}} flag. A permanent solution is to add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
Login time can be shorten by using the {{Codeline|"4"}} flag, which bypasses IPv6 lookup. This can be made permanent by adding this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Another way of making these changes permanent is to create an alias in {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
<br />
=== Trouble Shooting ===<br />
<br />
make sure your DISPLAY string is resolveable on the remote end:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
can be fixed by adding localhost to {{Filename|/etc/hosts}}.<br />
<br />
== Mounting a Remote Filesystem with SSHFS ==<br />
<br />
Install sshfs<br />
# pacman -S sshfs<br />
<br />
Load the Fuse module<br />
# modprobe fuse<br />
Add fuse to the ''modules'' array in {{Filename|/etc/rc.conf}} to load it on each system boot.<br />
<br />
Mount the remote folder using sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
The command above will cause the folder /tmp on the remote server to be mounted as ~/remote_folder on the local machine. Copying any file to this folder will result in transparent copying over the network using SFTP. Same concerns direct file editing, creating or removing.<br />
<br />
When we’re done working with the remote filesystem, we can unmount the remote folder by issuing:<br />
# fusermount -u ~/remote_folder<br />
<br />
If we work on this folder on a daily basis, it is wise to add it to the {{Filename|/etc/fstab}} table. This way is can be automatically mounted upon system boot or mounted manually (if {{Codeline|noauto}} option is chosen) without the need to specify the remote location each time. Here is a sample entry in the table:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
== Keep Alive ==<br />
<br />
Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to {{Filename|~/.ssh/config}} or to {{Filename|/etc/ssh/ssh_config}} on the client.<br />
<br />
ServerAliveInterval 120<br />
<br />
This will send a "keep alive" signal to the server every 120 seconds.<br />
<br />
Conversely, to keep incoming connections alive, you can set<br />
<br />
ClientAliveInterval 120<br />
<br />
(or some other number greater than 0) in {{Filename|/etc/ssh/sshd_config}} on the server.<br />
<br />
== Save connection data in .ssh/config ==<br />
<br />
Whenever you want to connect to a server, you usually have to type at least its address and your username. To save that typing work for servers you regularly connect to, you can use the {{Filename|$HOME/.ssh/config}} file as shown in the following example:<br />
<br />
{{File|name=$HOME/.ssh/config|content=<br />
<br />
Host myserver<br />
HostName 123.123.123.123<br />
Port 12345<br />
User bob<br />
Host other_server<br />
HostName test.something.org<br />
User alice<br />
CheckHostIP no<br />
Cipher blowfish<br />
}}<br />
<br />
Now you can simply connect to the server by using the name you specified:<br />
<br />
$ ssh myserver<br />
<br />
To see a complete list of the possible options, check out ssh_config's manpage on your system or the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config ssh_config documentation] on the official website.<br />
<br />
= Troubleshooting =<br />
<br />
== Connection Refused Problem ==<br />
<br />
=== Is SSH running and listening? ===<br />
<br />
netstat -tnlp | grep ssh<br />
<br />
If the above command doesn't display anything, then SSH is NOT running. Check <code>/var/log/messages</code> for errors etc.<br />
<br />
=== Are there firewall rules blocking the connection? ===<br />
<br />
Flush your iptables rules to make sure they are not interfering:<br />
<br />
/etc/rc.d/iptables stop<br />
<br />
or:<br />
<br />
iptables -P INPUT ACCEPT<br />
iptables -P OUTPUT ACCEPT<br />
iptables -F INPUT<br />
iptables -F OUTPUT<br />
<br />
=== Have you allowed SSH in hosts.allow? ===<br />
<br />
Double check you have done [[#Allowing_others_in|this section]] correctly.<br />
<br />
=== Is the traffic even getting to your computer? ===<br />
<br />
Start a traffic dump on the computer you're having problems with:<br />
<br />
tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you don't see any output when you attempt to connect, then something outside of your computer is blocking the traffic (eg, hardware firewall, NAT router etc)<br />
<br />
= See Also =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://webssh.cz.cc Using your browser as SSH client]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH_(Espa%C3%B1ol)&diff=135471OpenSSH (Español)2011-03-31T19:17:01Z<p>Sironitomas: /* Paso 2: Configurar tu navegador (u otros programas) */</p>
<hr />
<div>[[Category:Español]]<br />
{{i18n|SSH}}<br />
<br />
'''S'''ecure '''Sh'''ell o '''SSH''' es un protocolo de red que permite el intercambio de datos sobre un canal seguro entre dos computadoras. SSH usa técnicas de cifrado que hacen que la información que viaja por el medio de comunicación vaya de manera no legible y ninguna tercera persona pueda descubrir el usuario y contraseña de la conexión ni lo que se escribe durante toda la sesión. SSH usa criptografía de clave pública para autenticar el equipo remoto y permitir al mismo autenticar al usuario si es necesario.<br />
<br />
Además de la conexión a otros dispositivos, SSH nos permite copiar datos de forma segura (tanto ficheros sueltos como simular sesiones FTP cifradas), gestionar claves RSA para no escribir claves al conectar a los dispositivos y pasar los datos de cualquier otra aplicación por un canal seguro tunelizado mediante SSH.<br />
<br />
Un servidor SSH, por defecto, escucha el puerto TCP 22. Un programa cliente de SSH es utilizado generalmente para establecer conexiones a un demonio ''sshd'' que acepta conexiones remotas. Ambos se encuentran comúnmente en los sistemas operativos más modernos, incluyendo Mac OS X, Linux, Solaris y OpenVMS. Existen versiones propietarias, freeware y open-source de varios niveles de complejidad y exhaustividad.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) es un conjunto de programas de computadora que proveen una sesión de comunicación encriptada en una red informática que utiliza el protocolo SSH. Fue creado como una alternativa de código abierto al software propietario ofrecido por by SSH Communications Security. OpenSSH es desarrollado como parte del proyecto OpenBSD, que está a cargo de Theo de Raadt.<br />
<br />
OpenSSH es confundido a veces con OpenSSL por la similitud de nombre, sin embargo, los proyectos tienen objetivos distintos y están desarrollados por equipos diferentes.<br />
<br />
== Instalando OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configurando SSH ==<br />
===Cliente===<br />
El archivo de configuración del cliente SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh_config}}<br />
<br />
Un ejemplo de configuración: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
Se recomiendo cambiar la linea Protocol a esta<br />
Protocol 2<br />
<br />
Quiere decir que solo se utilizará Protocol 2 , ya que Protocol 1 es considerado un tanto inseguro.<br />
<br />
===Demonio(daemon)===<br />
El archivo de configuración del demonio SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
Un ejemplo de confuguración: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
Para permitir el acceso sólo a algunos usuarios añadir esta línea:<br />
AllowUsers user1 user2<br />
<br />
Es posible que desee cambiar algunas líneas para que se vieran de la siguiente manera:<br />
<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
También puede descomentar la opción BANNER y editar {{Filename|/etc/issue}} para un mensaje de bienvenida agradable.<br />
<br />
{{Tip| Es posible que desee cambiar el puerto por defecto de 22 a cualquier puerto superior (ver [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
A pesar de que el puerto ssh que esta siendo ejecutado puede ser detectado utilizando un port-scanner o escáner de puertos como nmap, cambiarlo reducirá el número de intentos de autenticación causados por intentos de autificación automáticos. <br />
<br />
===Restringiendo el acceso===<br />
{{Box Note | Tienes que ajustar este archivo para conectarse remotamente a la máquina ya que está vacío de forma predeterminada}}<br />
<br />
Para permitir a otra gente entrar a tu equipo necesitas realizar unos cambios a {{Filename|/etc/hosts.allow}}, añadiendo lo siguiente:<br />
<br />
<pre><br />
# que todo el mundo pueda conectarse<br />
sshd: ALL<br />
<br />
# O restringirlo a una cierta IP<br />
sshd: 192.168.0.1<br />
<br />
# O restringirlo a un rago de IPs<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# O restringir una coincidencia IP<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Ahora deberías revisar tu {{Filename|/etc/hosts.deny}} para la siguiente línea y asegurarte de que tega este aspecto:<br />
ALL: ALL<br />
<br />
Eso es todo. Puedes conectarte mediante SSH hacia algun equipo asi como tambien permitir a otros conectarse a tu equipo :).<br />
<br />
Para comenzar a usar la nueva configuración, reinicia el demonio (como root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Gestion del Demonio SSHD ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Conectandose a el servidor==<br />
Para conectarse a un servidor, ejecuta:<br />
$ ssh -p port user@server-address<br />
<br />
= Trucos y sugerencias =<br />
<br />
== Túneles cifrados ==<br />
Este tipo de conexión es muy útil para usuarios de equipos portátiles conectados a varias conexiones inalámbricas no seguras. Lo unico que necesitas es un servidor SSH corriendo en algún lugar seguro, como tu casa o tu trabajo. Puede ser útil usar un servicio de DNS dinámico como DynDNS para no tener que recordar la dirección IP a la que desea conectarse..<br />
<br />
=== Paso 1: Iniciar la conexión ===<br />
Lo único que tienes que hacer es ejecutar este comando en tu terminal favorita para iniciar la conexión:<br />
$ ssh -ND 4711 user@host<br />
donde {{Codeline|"user"}} es tu nombre de usuario en el servidor SSH que se está ejecutando en el {{Codeline|"host"}}. Preguntará por tu contraseña, y luego estarás conectado! La {{Codeline|"N"}} flag desactiva el prompt interactivo, y la D {{Codeline|"D"}} especifica el puerto local en el cual escuchar (puedes elegir el numero de puerto que quieras).<br />
<br />
Una forma de hacer esto facilmente es agregar un alias en tu archivo {{Filename|~/.bashrc}} como lo siguiente:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
<br />
=== Paso 2: Configurar tu navegador (u otros programas) ===<br />
<br />
El paso anterior es inútil si no configura el navegador web (u otros programas) para su uso con el túnel que acaba de crear. Debido a que la version actual de SSH soporta SOCKS4 y SOCKS5, se puede usar cualquiera de ellos.<br />
<br />
* Para Firefox: ''Editar &rarr; Preferencias &rarr; Avanzadas &rarr; Red &rarr; Conexión &rarr; Configuración'':<br />
: Marca la casilla ''"configuración manual de proxy"'' , y escribe "localhost" en el campo ''"servidor SOCKS "'' , y luego escribe tu número de puerto en el siguiente campo de texto.<br />
<br />
* Para Chromium: Se pueden setear las configuraciones de SOCKS como variables de entorno o como opciones en linea de comandos. Es recomendable agregar una de las siguientes lineas a .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
O<br />
alias secure_chromium='chromium --proxy-server="socks://localhost:4711"'<br />
<br />
Ahora solo queda abrir una terminal y escribir:<br />
$ secure_chromium<br />
<br />
Listo. Disfruta tu tunel seguro!<br />
<br />
== X11 Forwarding ==<br />
<br />
Para ejecutar programas gráficos a través de una conexión SSH puedes habilitarX11 forwarding. Esta opción deber ser especificada en el archivo de configuración del servidor y del cliente (entiéndase "cliente" como su equipo en el cual su servidor X11 es ejecutado, y correras aplicaciones X en el "servidor").<br />
<br />
Instalar xorg-xauth en el servidor:<br />
# pacman -S xorg-xauth<br />
<br />
* Habilitar la opción '''AllowTcpForwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11Forwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11DisplayOffset''' en {{Filename|sshd_config}} en el '''server''' to 10.<br />
* Habilitar la opción '''X11UseLocalhost''' en {{Filename|sshd_config}} en el '''server'''.<br />
<br />
<br />
* Habilitar la opción '''ForwardX11''' en {{Filename|ssh_config}} en el '''client'''.<br />
<br />
Para usar el forwarding, acceder al servidor a través de ssh:<br />
# ssh -X -p port user@server-address<br />
Si recibes errores intentando ejecutar aplicaciones gráficas prueba con trusted forwarding :<br />
# ssh -Y -p port user@server-address<br />
Ahora puedes iniciar cualquier aplicacion X en el servidor remoto, la salida será enviada a tu sesión local:<br />
# xclock<br />
<br />
== Acelerando SSH ==<br />
Al cambiar los valores utilizados por SSH a una menor demanda de recursos puede aumentar la velocidad de la CPU. En este aspecto, las mejores opciones son arcfour y blowfish-cbc. Para usarlas ejecuta SSH con el sufijo {{Codeline|"c"}} , de la siguiente manera:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
Para usarlo de forma permanente agrega esta línea bajo el abajo del host adecuado en {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Otra opción para mejorar la velocidad es habilitar la compresión con el sufijo {{Codeline|"C"}} . Una solución permanente es agregar esta linea debajo del host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
El tiempo de inicio de sesión puede ser acortado usando el sufijo {{Codeline|"4"}},que saltea la búsqueda IPv6. Esto puede hacerse permanente añadiendo esta línea bajo el host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Otra forma de hacer permanentes los cambios es crear un alias en {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
Por último, puedes hacer todas las sesiones con el mismo servidor utilizando una sola conexión, lo que agiliza el inicio de sesión posterior, añadiendo estas líneas a un host apropiado en {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
=== Solucionando problemas ===<br />
<br />
Asegurate de que la cadena DISPLAY apunte al servidor remoto:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
puede ser solucionado agregando localhost a {{Filename|/etc/hosts}}.<br />
<br />
== Montando un Sistema de archivos Remoto con SSHFS ==<br />
<br />
Instalando sshfs<br />
# pacman -S sshfs<br />
<br />
Cargar el módulo Fuse<br />
# modprobe fuse<br />
Agrega fuse a la cadena ''modules'' en {{Filename|/etc/rc.conf}} para ejecutarlo en cada inicio del sistema.<br />
<br />
Montar la carpeta remota usando sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
El comando anterior hará que la carpeta /tmp en el servidor remoto sea montada como ~/carpeta_remota en la maquina local. La copia de cualquier archivo en esta carpeta dará lugar a una copia transparente sobre la red red utilizando SFTP. La misma se refiere también a la edición directa de archivos, la creación o eliminación.<br />
<br />
Una vez finalizado el trabajo con el sistema de archivos remoto, podemos desmontar la carpeta remota mediante el siguiente comando:<br />
# fusermount -u ~/remote_folder<br />
<br />
Si trabajamos con esta carpeta a diario, es recomendable agregarlo a la tabla {{Filename|/etc/fstab}} . De esta forma se puede montar de forma automática en el arranque o manualmente (si se elige la opción {{Codeline|noauto}}), sin la necesidad de especificar la ubicación remota en todo momento. Aquí hay una entrada de ejemplo en la tabla:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
=== Mantener vivo ===<br />
<br />
Tu sesion ssh sera automáticamente desconectada si ésta se encuentra inactiva. Para mantener activa la conexión agrega esto a {{Filename|~/.ssh/config}} o a {{Filename|/etc/ssh/ssh_config}} en el cliente.<br />
<br />
ServerAliveInterval 5<br />
<br />
Esto enviará la señal "mantener vivo" al servidor cada 5 segundos. Usualmente puedes incrementar este intervalo, y usar 120.<br />
<br />
= Ver también =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH_(Espa%C3%B1ol)&diff=135469OpenSSH (Español)2011-03-31T19:15:19Z<p>Sironitomas: /* Paso 2: Configurar tu navegador (u otros programas) */</p>
<hr />
<div>[[Category:Español]]<br />
{{i18n|SSH}}<br />
<br />
'''S'''ecure '''Sh'''ell o '''SSH''' es un protocolo de red que permite el intercambio de datos sobre un canal seguro entre dos computadoras. SSH usa técnicas de cifrado que hacen que la información que viaja por el medio de comunicación vaya de manera no legible y ninguna tercera persona pueda descubrir el usuario y contraseña de la conexión ni lo que se escribe durante toda la sesión. SSH usa criptografía de clave pública para autenticar el equipo remoto y permitir al mismo autenticar al usuario si es necesario.<br />
<br />
Además de la conexión a otros dispositivos, SSH nos permite copiar datos de forma segura (tanto ficheros sueltos como simular sesiones FTP cifradas), gestionar claves RSA para no escribir claves al conectar a los dispositivos y pasar los datos de cualquier otra aplicación por un canal seguro tunelizado mediante SSH.<br />
<br />
Un servidor SSH, por defecto, escucha el puerto TCP 22. Un programa cliente de SSH es utilizado generalmente para establecer conexiones a un demonio ''sshd'' que acepta conexiones remotas. Ambos se encuentran comúnmente en los sistemas operativos más modernos, incluyendo Mac OS X, Linux, Solaris y OpenVMS. Existen versiones propietarias, freeware y open-source de varios niveles de complejidad y exhaustividad.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) es un conjunto de programas de computadora que proveen una sesión de comunicación encriptada en una red informática que utiliza el protocolo SSH. Fue creado como una alternativa de código abierto al software propietario ofrecido por by SSH Communications Security. OpenSSH es desarrollado como parte del proyecto OpenBSD, que está a cargo de Theo de Raadt.<br />
<br />
OpenSSH es confundido a veces con OpenSSL por la similitud de nombre, sin embargo, los proyectos tienen objetivos distintos y están desarrollados por equipos diferentes.<br />
<br />
== Instalando OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configurando SSH ==<br />
===Cliente===<br />
El archivo de configuración del cliente SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh_config}}<br />
<br />
Un ejemplo de configuración: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
Se recomiendo cambiar la linea Protocol a esta<br />
Protocol 2<br />
<br />
Quiere decir que solo se utilizará Protocol 2 , ya que Protocol 1 es considerado un tanto inseguro.<br />
<br />
===Demonio(daemon)===<br />
El archivo de configuración del demonio SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
Un ejemplo de confuguración: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
Para permitir el acceso sólo a algunos usuarios añadir esta línea:<br />
AllowUsers user1 user2<br />
<br />
Es posible que desee cambiar algunas líneas para que se vieran de la siguiente manera:<br />
<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
También puede descomentar la opción BANNER y editar {{Filename|/etc/issue}} para un mensaje de bienvenida agradable.<br />
<br />
{{Tip| Es posible que desee cambiar el puerto por defecto de 22 a cualquier puerto superior (ver [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
A pesar de que el puerto ssh que esta siendo ejecutado puede ser detectado utilizando un port-scanner o escáner de puertos como nmap, cambiarlo reducirá el número de intentos de autenticación causados por intentos de autificación automáticos. <br />
<br />
===Restringiendo el acceso===<br />
{{Box Note | Tienes que ajustar este archivo para conectarse remotamente a la máquina ya que está vacío de forma predeterminada}}<br />
<br />
Para permitir a otra gente entrar a tu equipo necesitas realizar unos cambios a {{Filename|/etc/hosts.allow}}, añadiendo lo siguiente:<br />
<br />
<pre><br />
# que todo el mundo pueda conectarse<br />
sshd: ALL<br />
<br />
# O restringirlo a una cierta IP<br />
sshd: 192.168.0.1<br />
<br />
# O restringirlo a un rago de IPs<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# O restringir una coincidencia IP<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Ahora deberías revisar tu {{Filename|/etc/hosts.deny}} para la siguiente línea y asegurarte de que tega este aspecto:<br />
ALL: ALL<br />
<br />
Eso es todo. Puedes conectarte mediante SSH hacia algun equipo asi como tambien permitir a otros conectarse a tu equipo :).<br />
<br />
Para comenzar a usar la nueva configuración, reinicia el demonio (como root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Gestion del Demonio SSHD ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Conectandose a el servidor==<br />
Para conectarse a un servidor, ejecuta:<br />
$ ssh -p port user@server-address<br />
<br />
= Trucos y sugerencias =<br />
<br />
== Túneles cifrados ==<br />
Este tipo de conexión es muy útil para usuarios de equipos portátiles conectados a varias conexiones inalámbricas no seguras. Lo unico que necesitas es un servidor SSH corriendo en algún lugar seguro, como tu casa o tu trabajo. Puede ser útil usar un servicio de DNS dinámico como DynDNS para no tener que recordar la dirección IP a la que desea conectarse..<br />
<br />
=== Paso 1: Iniciar la conexión ===<br />
Lo único que tienes que hacer es ejecutar este comando en tu terminal favorita para iniciar la conexión:<br />
$ ssh -ND 4711 user@host<br />
donde {{Codeline|"user"}} es tu nombre de usuario en el servidor SSH que se está ejecutando en el {{Codeline|"host"}}. Preguntará por tu contraseña, y luego estarás conectado! La {{Codeline|"N"}} flag desactiva el prompt interactivo, y la D {{Codeline|"D"}} especifica el puerto local en el cual escuchar (puedes elegir el numero de puerto que quieras).<br />
<br />
Una forma de hacer esto facilmente es agregar un alias en tu archivo {{Filename|~/.bashrc}} como lo siguiente:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
<br />
=== Paso 2: Configurar tu navegador (u otros programas) ===<br />
<br />
El paso anterior es inútil si no configura el navegador web (u otros programas) para su uso con el túnel que acaba de crear. Debido a que la version actual de SSH soporta SOCKS4 y SOCKS5, se puede usar cualquiera de ellos.<br />
<br />
* Para Firefox: ''Editar &rarr; Preferencias &rarr; Avanzadas &rarr; Red &rarr; Conexión &rarr; Configuración'':<br />
: Marca la casilla ''"configuración manual de proxy"'' , y escribe "localhost" en el campo ''"servidor SOCKS "'' , y luego escribe tu número de puerto en el siguiente campo de texto.<br />
<br />
* Para Chromium: Se deben setear las configuraciones de SOCKS como variables de entorno o como opciones de linea de comandos. Es recomendable agregar una de las siguientes lineas a .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
O<br />
alias secure_chromium='chromium --proxy-server="socks://localhost:4711"'<br />
<br />
Ahora solo queda abrir una terminal y escribir:<br />
$ secure_chromium<br />
<br />
Listo. Disfruta tu tunel seguro!<br />
<br />
== X11 Forwarding ==<br />
<br />
Para ejecutar programas gráficos a través de una conexión SSH puedes habilitarX11 forwarding. Esta opción deber ser especificada en el archivo de configuración del servidor y del cliente (entiéndase "cliente" como su equipo en el cual su servidor X11 es ejecutado, y correras aplicaciones X en el "servidor").<br />
<br />
Instalar xorg-xauth en el servidor:<br />
# pacman -S xorg-xauth<br />
<br />
* Habilitar la opción '''AllowTcpForwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11Forwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11DisplayOffset''' en {{Filename|sshd_config}} en el '''server''' to 10.<br />
* Habilitar la opción '''X11UseLocalhost''' en {{Filename|sshd_config}} en el '''server'''.<br />
<br />
<br />
* Habilitar la opción '''ForwardX11''' en {{Filename|ssh_config}} en el '''client'''.<br />
<br />
Para usar el forwarding, acceder al servidor a través de ssh:<br />
# ssh -X -p port user@server-address<br />
Si recibes errores intentando ejecutar aplicaciones gráficas prueba con trusted forwarding :<br />
# ssh -Y -p port user@server-address<br />
Ahora puedes iniciar cualquier aplicacion X en el servidor remoto, la salida será enviada a tu sesión local:<br />
# xclock<br />
<br />
== Acelerando SSH ==<br />
Al cambiar los valores utilizados por SSH a una menor demanda de recursos puede aumentar la velocidad de la CPU. En este aspecto, las mejores opciones son arcfour y blowfish-cbc. Para usarlas ejecuta SSH con el sufijo {{Codeline|"c"}} , de la siguiente manera:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
Para usarlo de forma permanente agrega esta línea bajo el abajo del host adecuado en {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Otra opción para mejorar la velocidad es habilitar la compresión con el sufijo {{Codeline|"C"}} . Una solución permanente es agregar esta linea debajo del host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
El tiempo de inicio de sesión puede ser acortado usando el sufijo {{Codeline|"4"}},que saltea la búsqueda IPv6. Esto puede hacerse permanente añadiendo esta línea bajo el host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Otra forma de hacer permanentes los cambios es crear un alias en {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
Por último, puedes hacer todas las sesiones con el mismo servidor utilizando una sola conexión, lo que agiliza el inicio de sesión posterior, añadiendo estas líneas a un host apropiado en {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
=== Solucionando problemas ===<br />
<br />
Asegurate de que la cadena DISPLAY apunte al servidor remoto:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
puede ser solucionado agregando localhost a {{Filename|/etc/hosts}}.<br />
<br />
== Montando un Sistema de archivos Remoto con SSHFS ==<br />
<br />
Instalando sshfs<br />
# pacman -S sshfs<br />
<br />
Cargar el módulo Fuse<br />
# modprobe fuse<br />
Agrega fuse a la cadena ''modules'' en {{Filename|/etc/rc.conf}} para ejecutarlo en cada inicio del sistema.<br />
<br />
Montar la carpeta remota usando sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
El comando anterior hará que la carpeta /tmp en el servidor remoto sea montada como ~/carpeta_remota en la maquina local. La copia de cualquier archivo en esta carpeta dará lugar a una copia transparente sobre la red red utilizando SFTP. La misma se refiere también a la edición directa de archivos, la creación o eliminación.<br />
<br />
Una vez finalizado el trabajo con el sistema de archivos remoto, podemos desmontar la carpeta remota mediante el siguiente comando:<br />
# fusermount -u ~/remote_folder<br />
<br />
Si trabajamos con esta carpeta a diario, es recomendable agregarlo a la tabla {{Filename|/etc/fstab}} . De esta forma se puede montar de forma automática en el arranque o manualmente (si se elige la opción {{Codeline|noauto}}), sin la necesidad de especificar la ubicación remota en todo momento. Aquí hay una entrada de ejemplo en la tabla:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
=== Mantener vivo ===<br />
<br />
Tu sesion ssh sera automáticamente desconectada si ésta se encuentra inactiva. Para mantener activa la conexión agrega esto a {{Filename|~/.ssh/config}} o a {{Filename|/etc/ssh/ssh_config}} en el cliente.<br />
<br />
ServerAliveInterval 5<br />
<br />
Esto enviará la señal "mantener vivo" al servidor cada 5 segundos. Usualmente puedes incrementar este intervalo, y usar 120.<br />
<br />
= Ver también =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH&diff=135468OpenSSH2011-03-31T19:13:34Z<p>Sironitomas: /* Step 2: Configure your Browser (or other programs) */</p>
<hr />
<div>[[Category:Daemons and system services (English)]]<br />
{{i18n|SSH}}<br />
[[pl:SSH]]<br />
[[fr:ssh]]<br />
<br />
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.<br />
<br />
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; file transfer can be accomplished using the associated SFTP or SCP protocols.<br />
<br />
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an ''sshd'' daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
== Installing OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configuring SSH ==<br />
===Client===<br />
The SSH client configuration file can be found and edited in {{Filename|/etc/ssh/ssh_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
It is recommended to change the Protocol line into this:<br />
Protocol 2<br />
<br />
That means that only Protocol 2 will be used, since Protocol 1 is considered somewhat insecure.<br />
<br />
===Daemon===<br />
The SSH daemon configuration file can be found and edited in {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
To allow access only for some users add this line:<br />
AllowUsers user1 user2<br />
<br />
You might want to change some lines so that they look as following:<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
You could also uncomment the BANNER option and edit {{Filename|/etc/issue}} for a nice welcome message.<br />
<br />
{{Tip| You may want to change the default port from 22 to any higher port (see [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
Even though the port ssh is running on could be detected by using a port-scanner like nmap, changing it will reduce the number of log entries caused by automated authentication attempts.<br />
<br />
{{Tip| Disabling password logins entirely may also increase security, since each user with access to the server will need to create ssh keys. (see [http://wiki.archlinux.org/index.php/Using_SSH_Keys Using SSH Keys]).}}<br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no}}<br />
<br />
===Allowing others in===<br />
{{Box Note | You have to adjust this file to remotely connect to your machine since the file is empty by default}}<br />
<br />
To let other people ssh to your machine you need to adjust {{Filename|/etc/hosts.allow}}, add the following:<br />
<br />
<pre><br />
# let everyone connect to you<br />
sshd: ALL<br />
<br />
# OR you can restrict it to a certain ip<br />
sshd: 192.168.0.1<br />
<br />
# OR restrict for an IP range<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# OR restrict for an IP match<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Now you should check your {{Filename|/etc/hosts.deny}} for the following line and make sure it looks like this:<br />
ALL: ALL<br />
<br />
That's it. You can SSH out and others should be able to SSH in :).<br />
<br />
To start using the new configuration, restart the daemon (as root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Managing SSHD Daemon ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Connecting to the server==<br />
To connect to a server, run:<br />
$ ssh -p port user@server-address<br />
<br />
= Tips and Tricks =<br />
<br />
== Encrypted Socks Tunnel ==<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you don't have to remember your IP-address.<br />
<br />
=== Step 1: Start the Connection ===<br />
You only have to execute this single command in your favorite terminal to start the connection:<br />
$ ssh -ND 4711 user@host<br />
where {{Codeline|"user"}} is your username at the SSH server running at the {{Codeline|"host"}}. It will ask for your password, and then you're connected! The {{Codeline|"N"}} flag disables the interactive prompt, and the {{Codeline|"D"}} flag specifies the local port on which to listen on (you can choose any port number if you want).<br />
<br />
One way to make this easier is to put an alias line in your {{Filename|~/.bashrc}} file as following:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
It's nice to add the verbose {{Codeline|"-v"}} flag, because then you can verify that it's actually connected from that output. Now you just have to execute the {{Codeline|"sshtunnel"}} command :)<br />
<br />
=== Step 2: Configure your Browser (or other programs) ===<br />
<br />
The above step is completely useless if you don't configure your web browser (or other programs) to use this newly created socks tunnel. Since the current version of SSH supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Edit &rarr; Preferences &rarr; Advanced &rarr; Network &rarr; Connection &rarr; Setting'':<br />
: Check the ''"Manual proxy configuration"'' radio button, and enter "localhost" in the ''"SOCKS host"'' text field, and then enter your port number in the next text field (I used 4711 above).<br />
<br />
* For Chromium: You can set the SOCKS settings as enviroment variables or as command line options. I recommend to add one of the following lines to your .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
OR<br />
alias secure_chromium='chromium --proxy-server="socks://localhost:4711"'<br />
<br />
Now open a terminal and just do:<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
== X11 Forwarding ==<br />
<br />
To run graphical programs through a SSH connection you can enable X11 forwarding. An option needs to be set in the configuration files on the server and client (here "client" means your (desktop) machine your X11 Server runs on, and you will run X applications on the "server").<br />
<br />
Install xorg-xauth on the server:<br />
# pacman -S xorg-xauth<br />
<br />
* Enable the '''AllowTcpForwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Enable the '''X11Forwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Set the '''X11DisplayOffset''' option in {{Filename|sshd_config}} on the '''server''' to 10.<br />
* Enable the '''X11UseLocalhost''' option in {{Filename|sshd_config}} on the '''server'''.<br />
<br />
<br />
* Enable the '''ForwardX11''' option in {{Filename|ssh_config}} on the '''client'''.<br />
<br />
To use the forwarding, log on to your server through ssh:<br />
# ssh -X -p port user@server-address<br />
If you receive errors trying to run graphical applications try trusted forwarding instead:<br />
# ssh -Y -p port user@server-address<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
# xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
$ xhost +<br />
<br />
the above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. Type "man xhost" for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. Firefox is an example. Either close running Firefox or use the following start parameter to start a remote instance on the local machine<br />
$ firefox -no-remote<br />
<br />
== Speed up SSH ==<br />
You can make all sessions to the same host use a single connection, which will greatly speed up subsequent logins, by adding those line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
Changing the ciphers used by SSH to less cpu-demanding ones can improve speed. In this aspect, the best choices are arcfour and blowfish-cbc. '''Please do not do this unless you know what you are doing; arcfour has a number of known weaknesses'''. To use them, run SSH with the {{Codeline|"c"}} flag, like this:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
To use them permanently, add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Another option to improve speed is to enable compression with the {{Codeline|"C"}} flag. A permanent solution is to add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
Login time can be shorten by using the {{Codeline|"4"}} flag, which bypasses IPv6 lookup. This can be made permanent by adding this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Another way of making these changes permanent is to create an alias in {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
<br />
=== Trouble Shooting ===<br />
<br />
make sure your DISPLAY string is resolveable on the remote end:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
can be fixed by adding localhost to {{Filename|/etc/hosts}}.<br />
<br />
== Mounting a Remote Filesystem with SSHFS ==<br />
<br />
Install sshfs<br />
# pacman -S sshfs<br />
<br />
Load the Fuse module<br />
# modprobe fuse<br />
Add fuse to the ''modules'' array in {{Filename|/etc/rc.conf}} to load it on each system boot.<br />
<br />
Mount the remote folder using sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
The command above will cause the folder /tmp on the remote server to be mounted as ~/remote_folder on the local machine. Copying any file to this folder will result in transparent copying over the network using SFTP. Same concerns direct file editing, creating or removing.<br />
<br />
When we’re done working with the remote filesystem, we can unmount the remote folder by issuing:<br />
# fusermount -u ~/remote_folder<br />
<br />
If we work on this folder on a daily basis, it is wise to add it to the {{Filename|/etc/fstab}} table. This way is can be automatically mounted upon system boot or mounted manually (if {{Codeline|noauto}} option is chosen) without the need to specify the remote location each time. Here is a sample entry in the table:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
== Keep Alive ==<br />
<br />
Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to {{Filename|~/.ssh/config}} or to {{Filename|/etc/ssh/ssh_config}} on the client.<br />
<br />
ServerAliveInterval 120<br />
<br />
This will send a "keep alive" signal to the server every 120 seconds.<br />
<br />
Conversely, to keep incoming connections alive, you can set<br />
<br />
ClientAliveInterval 120<br />
<br />
(or some other number greater than 0) in {{Filename|/etc/ssh/sshd_config}} on the server.<br />
<br />
== Save connection data in .ssh/config ==<br />
<br />
Whenever you want to connect to a server, you usually have to type at least its address and your username. To save that typing work for servers you regularly connect to, you can use the {{Filename|$HOME/.ssh/config}} file as shown in the following example:<br />
<br />
{{File|name=$HOME/.ssh/config|content=<br />
<br />
Host myserver<br />
HostName 123.123.123.123<br />
Port 12345<br />
User bob<br />
Host other_server<br />
HostName test.something.org<br />
User alice<br />
CheckHostIP no<br />
Cipher blowfish<br />
}}<br />
<br />
Now you can simply connect to the server by using the name you specified:<br />
<br />
$ ssh myserver<br />
<br />
To see a complete list of the possible options, check out ssh_config's manpage on your system or the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config ssh_config documentation] on the official website.<br />
<br />
= Troubleshooting =<br />
<br />
== Connection Refused Problem ==<br />
<br />
=== Is SSH running and listening? ===<br />
<br />
netstat -tnlp | grep ssh<br />
<br />
If the above command doesn't display anything, then SSH is NOT running. Check <code>/var/log/messages</code> for errors etc.<br />
<br />
=== Are there firewall rules blocking the connection? ===<br />
<br />
Flush your iptables rules to make sure they are not interfering:<br />
<br />
/etc/rc.d/iptables stop<br />
<br />
or:<br />
<br />
iptables -P INPUT ACCEPT<br />
iptables -P OUTPUT ACCEPT<br />
iptables -F INPUT<br />
iptables -F OUTPUT<br />
<br />
=== Have you allowed SSH in hosts.allow? ===<br />
<br />
Double check you have done [[#Allowing_others_in|this section]] correctly.<br />
<br />
=== Is the traffic even getting to your computer? ===<br />
<br />
Start a traffic dump on the computer you're having problems with:<br />
<br />
tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you don't see any output when you attempt to connect, then something outside of your computer is blocking the traffic (eg, hardware firewall, NAT router etc)<br />
<br />
= See Also =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://webssh.cz.cc Using your browser as SSH client]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH&diff=135467OpenSSH2011-03-31T19:12:54Z<p>Sironitomas: /* Step 2: Configure your Browser (or other programs) */</p>
<hr />
<div>[[Category:Daemons and system services (English)]]<br />
{{i18n|SSH}}<br />
[[pl:SSH]]<br />
[[fr:ssh]]<br />
<br />
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.<br />
<br />
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; file transfer can be accomplished using the associated SFTP or SCP protocols.<br />
<br />
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an ''sshd'' daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
== Installing OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configuring SSH ==<br />
===Client===<br />
The SSH client configuration file can be found and edited in {{Filename|/etc/ssh/ssh_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
It is recommended to change the Protocol line into this:<br />
Protocol 2<br />
<br />
That means that only Protocol 2 will be used, since Protocol 1 is considered somewhat insecure.<br />
<br />
===Daemon===<br />
The SSH daemon configuration file can be found and edited in {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
To allow access only for some users add this line:<br />
AllowUsers user1 user2<br />
<br />
You might want to change some lines so that they look as following:<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
You could also uncomment the BANNER option and edit {{Filename|/etc/issue}} for a nice welcome message.<br />
<br />
{{Tip| You may want to change the default port from 22 to any higher port (see [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
Even though the port ssh is running on could be detected by using a port-scanner like nmap, changing it will reduce the number of log entries caused by automated authentication attempts.<br />
<br />
{{Tip| Disabling password logins entirely may also increase security, since each user with access to the server will need to create ssh keys. (see [http://wiki.archlinux.org/index.php/Using_SSH_Keys Using SSH Keys]).}}<br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no}}<br />
<br />
===Allowing others in===<br />
{{Box Note | You have to adjust this file to remotely connect to your machine since the file is empty by default}}<br />
<br />
To let other people ssh to your machine you need to adjust {{Filename|/etc/hosts.allow}}, add the following:<br />
<br />
<pre><br />
# let everyone connect to you<br />
sshd: ALL<br />
<br />
# OR you can restrict it to a certain ip<br />
sshd: 192.168.0.1<br />
<br />
# OR restrict for an IP range<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# OR restrict for an IP match<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Now you should check your {{Filename|/etc/hosts.deny}} for the following line and make sure it looks like this:<br />
ALL: ALL<br />
<br />
That's it. You can SSH out and others should be able to SSH in :).<br />
<br />
To start using the new configuration, restart the daemon (as root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Managing SSHD Daemon ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Connecting to the server==<br />
To connect to a server, run:<br />
$ ssh -p port user@server-address<br />
<br />
= Tips and Tricks =<br />
<br />
== Encrypted Socks Tunnel ==<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you don't have to remember your IP-address.<br />
<br />
=== Step 1: Start the Connection ===<br />
You only have to execute this single command in your favorite terminal to start the connection:<br />
$ ssh -ND 4711 user@host<br />
where {{Codeline|"user"}} is your username at the SSH server running at the {{Codeline|"host"}}. It will ask for your password, and then you're connected! The {{Codeline|"N"}} flag disables the interactive prompt, and the {{Codeline|"D"}} flag specifies the local port on which to listen on (you can choose any port number if you want).<br />
<br />
One way to make this easier is to put an alias line in your {{Filename|~/.bashrc}} file as following:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
It's nice to add the verbose {{Codeline|"-v"}} flag, because then you can verify that it's actually connected from that output. Now you just have to execute the {{Codeline|"sshtunnel"}} command :)<br />
<br />
=== Step 2: Configure your Browser (or other programs) ===<br />
<br />
The above step is completely useless if you don't configure your web browser (or other programs) to use this newly created socks tunnel. Since the current version of SSH supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Edit &rarr; Preferences &rarr; Advanced &rarr; Network &rarr; Connection &rarr; Setting'':<br />
: Check the ''"Manual proxy configuration"'' radio button, and enter "localhost" in the ''"SOCKS host"'' text field, and then enter your port number in the next text field (I used 4711 above).<br />
<br />
* For Chromium: You can set the SOCKS settings as enviroment variables or as command line options. I recommend to add one of the following lines to your .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
OR<br />
alias secure_chromium='chromium --proxy-server="socks://localhost:4711"'<br />
<br />
Now open a terminal and just do:<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
== X11 Forwarding ==<br />
<br />
To run graphical programs through a SSH connection you can enable X11 forwarding. An option needs to be set in the configuration files on the server and client (here "client" means your (desktop) machine your X11 Server runs on, and you will run X applications on the "server").<br />
<br />
Install xorg-xauth on the server:<br />
# pacman -S xorg-xauth<br />
<br />
* Enable the '''AllowTcpForwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Enable the '''X11Forwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Set the '''X11DisplayOffset''' option in {{Filename|sshd_config}} on the '''server''' to 10.<br />
* Enable the '''X11UseLocalhost''' option in {{Filename|sshd_config}} on the '''server'''.<br />
<br />
<br />
* Enable the '''ForwardX11''' option in {{Filename|ssh_config}} on the '''client'''.<br />
<br />
To use the forwarding, log on to your server through ssh:<br />
# ssh -X -p port user@server-address<br />
If you receive errors trying to run graphical applications try trusted forwarding instead:<br />
# ssh -Y -p port user@server-address<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
# xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
$ xhost +<br />
<br />
the above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. Type "man xhost" for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. Firefox is an example. Either close running Firefox or use the following start parameter to start a remote instance on the local machine<br />
$ firefox -no-remote<br />
<br />
== Speed up SSH ==<br />
You can make all sessions to the same host use a single connection, which will greatly speed up subsequent logins, by adding those line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
Changing the ciphers used by SSH to less cpu-demanding ones can improve speed. In this aspect, the best choices are arcfour and blowfish-cbc. '''Please do not do this unless you know what you are doing; arcfour has a number of known weaknesses'''. To use them, run SSH with the {{Codeline|"c"}} flag, like this:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
To use them permanently, add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Another option to improve speed is to enable compression with the {{Codeline|"C"}} flag. A permanent solution is to add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
Login time can be shorten by using the {{Codeline|"4"}} flag, which bypasses IPv6 lookup. This can be made permanent by adding this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Another way of making these changes permanent is to create an alias in {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
<br />
=== Trouble Shooting ===<br />
<br />
make sure your DISPLAY string is resolveable on the remote end:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
can be fixed by adding localhost to {{Filename|/etc/hosts}}.<br />
<br />
== Mounting a Remote Filesystem with SSHFS ==<br />
<br />
Install sshfs<br />
# pacman -S sshfs<br />
<br />
Load the Fuse module<br />
# modprobe fuse<br />
Add fuse to the ''modules'' array in {{Filename|/etc/rc.conf}} to load it on each system boot.<br />
<br />
Mount the remote folder using sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
The command above will cause the folder /tmp on the remote server to be mounted as ~/remote_folder on the local machine. Copying any file to this folder will result in transparent copying over the network using SFTP. Same concerns direct file editing, creating or removing.<br />
<br />
When we’re done working with the remote filesystem, we can unmount the remote folder by issuing:<br />
# fusermount -u ~/remote_folder<br />
<br />
If we work on this folder on a daily basis, it is wise to add it to the {{Filename|/etc/fstab}} table. This way is can be automatically mounted upon system boot or mounted manually (if {{Codeline|noauto}} option is chosen) without the need to specify the remote location each time. Here is a sample entry in the table:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
== Keep Alive ==<br />
<br />
Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to {{Filename|~/.ssh/config}} or to {{Filename|/etc/ssh/ssh_config}} on the client.<br />
<br />
ServerAliveInterval 120<br />
<br />
This will send a "keep alive" signal to the server every 120 seconds.<br />
<br />
Conversely, to keep incoming connections alive, you can set<br />
<br />
ClientAliveInterval 120<br />
<br />
(or some other number greater than 0) in {{Filename|/etc/ssh/sshd_config}} on the server.<br />
<br />
== Save connection data in .ssh/config ==<br />
<br />
Whenever you want to connect to a server, you usually have to type at least its address and your username. To save that typing work for servers you regularly connect to, you can use the {{Filename|$HOME/.ssh/config}} file as shown in the following example:<br />
<br />
{{File|name=$HOME/.ssh/config|content=<br />
<br />
Host myserver<br />
HostName 123.123.123.123<br />
Port 12345<br />
User bob<br />
Host other_server<br />
HostName test.something.org<br />
User alice<br />
CheckHostIP no<br />
Cipher blowfish<br />
}}<br />
<br />
Now you can simply connect to the server by using the name you specified:<br />
<br />
$ ssh myserver<br />
<br />
To see a complete list of the possible options, check out ssh_config's manpage on your system or the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config ssh_config documentation] on the official website.<br />
<br />
= Troubleshooting =<br />
<br />
== Connection Refused Problem ==<br />
<br />
=== Is SSH running and listening? ===<br />
<br />
netstat -tnlp | grep ssh<br />
<br />
If the above command doesn't display anything, then SSH is NOT running. Check <code>/var/log/messages</code> for errors etc.<br />
<br />
=== Are there firewall rules blocking the connection? ===<br />
<br />
Flush your iptables rules to make sure they are not interfering:<br />
<br />
/etc/rc.d/iptables stop<br />
<br />
or:<br />
<br />
iptables -P INPUT ACCEPT<br />
iptables -P OUTPUT ACCEPT<br />
iptables -F INPUT<br />
iptables -F OUTPUT<br />
<br />
=== Have you allowed SSH in hosts.allow? ===<br />
<br />
Double check you have done [[#Allowing_others_in|this section]] correctly.<br />
<br />
=== Is the traffic even getting to your computer? ===<br />
<br />
Start a traffic dump on the computer you're having problems with:<br />
<br />
tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you don't see any output when you attempt to connect, then something outside of your computer is blocking the traffic (eg, hardware firewall, NAT router etc)<br />
<br />
= See Also =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://webssh.cz.cc Using your browser as SSH client]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH&diff=135464OpenSSH2011-03-31T18:54:39Z<p>Sironitomas: /* Step 2: Configure your Browser (or other programs) */</p>
<hr />
<div>[[Category:Daemons and system services (English)]]<br />
{{i18n|SSH}}<br />
[[pl:SSH]]<br />
[[fr:ssh]]<br />
<br />
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.<br />
<br />
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; file transfer can be accomplished using the associated SFTP or SCP protocols.<br />
<br />
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an ''sshd'' daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
== Installing OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configuring SSH ==<br />
===Client===<br />
The SSH client configuration file can be found and edited in {{Filename|/etc/ssh/ssh_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
It is recommended to change the Protocol line into this:<br />
Protocol 2<br />
<br />
That means that only Protocol 2 will be used, since Protocol 1 is considered somewhat insecure.<br />
<br />
===Daemon===<br />
The SSH daemon configuration file can be found and edited in {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
An example configuration: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
To allow access only for some users add this line:<br />
AllowUsers user1 user2<br />
<br />
You might want to change some lines so that they look as following:<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
You could also uncomment the BANNER option and edit {{Filename|/etc/issue}} for a nice welcome message.<br />
<br />
{{Tip| You may want to change the default port from 22 to any higher port (see [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
Even though the port ssh is running on could be detected by using a port-scanner like nmap, changing it will reduce the number of log entries caused by automated authentication attempts.<br />
<br />
{{Tip| Disabling password logins entirely may also increase security, since each user with access to the server will need to create ssh keys. (see [http://wiki.archlinux.org/index.php/Using_SSH_Keys Using SSH Keys]).}}<br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no}}<br />
<br />
===Allowing others in===<br />
{{Box Note | You have to adjust this file to remotely connect to your machine since the file is empty by default}}<br />
<br />
To let other people ssh to your machine you need to adjust {{Filename|/etc/hosts.allow}}, add the following:<br />
<br />
<pre><br />
# let everyone connect to you<br />
sshd: ALL<br />
<br />
# OR you can restrict it to a certain ip<br />
sshd: 192.168.0.1<br />
<br />
# OR restrict for an IP range<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# OR restrict for an IP match<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Now you should check your {{Filename|/etc/hosts.deny}} for the following line and make sure it looks like this:<br />
ALL: ALL<br />
<br />
That's it. You can SSH out and others should be able to SSH in :).<br />
<br />
To start using the new configuration, restart the daemon (as root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Managing SSHD Daemon ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Connecting to the server==<br />
To connect to a server, run:<br />
$ ssh -p port user@server-address<br />
<br />
= Tips and Tricks =<br />
<br />
== Encrypted Socks Tunnel ==<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you don't have to remember your IP-address.<br />
<br />
=== Step 1: Start the Connection ===<br />
You only have to execute this single command in your favorite terminal to start the connection:<br />
$ ssh -ND 4711 user@host<br />
where {{Codeline|"user"}} is your username at the SSH server running at the {{Codeline|"host"}}. It will ask for your password, and then you're connected! The {{Codeline|"N"}} flag disables the interactive prompt, and the {{Codeline|"D"}} flag specifies the local port on which to listen on (you can choose any port number if you want).<br />
<br />
One way to make this easier is to put an alias line in your {{Filename|~/.bashrc}} file as following:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
It's nice to add the verbose {{Codeline|"-v"}} flag, because then you can verify that it's actually connected from that output. Now you just have to execute the {{Codeline|"sshtunnel"}} command :)<br />
<br />
=== Step 2: Configure your Browser (or other programs) ===<br />
<br />
The above step is completely useless if you don't configure your web browser (or other programs) to use this newly created socks tunnel. Since the current version of SSH supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Edit &rarr; Preferences &rarr; Advanced &rarr; Network &rarr; Connection &rarr; Setting'':<br />
: Check the ''"Manual proxy configuration"'' radio button, and enter "localhost" in the ''"SOCKS host"'' text field, and then enter your port number in the next text field (I used 4711 above).<br />
<br />
* For Chromium: You can set the SOCKS settings as enviroment variables or as command line options. I recommend to add one of the following lines to your .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
OR<br />
alias secure_chromium='chromium --proxy-server="socks://localhost:4711"'<br />
<br />
Now open a terminal and just do:<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
== X11 Forwarding ==<br />
<br />
To run graphical programs through a SSH connection you can enable X11 forwarding. An option needs to be set in the configuration files on the server and client (here "client" means your (desktop) machine your X11 Server runs on, and you will run X applications on the "server").<br />
<br />
Install xorg-xauth on the server:<br />
# pacman -S xorg-xauth<br />
<br />
* Enable the '''AllowTcpForwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Enable the '''X11Forwarding''' option in {{Filename|sshd_config}} on the '''server'''.<br />
* Set the '''X11DisplayOffset''' option in {{Filename|sshd_config}} on the '''server''' to 10.<br />
* Enable the '''X11UseLocalhost''' option in {{Filename|sshd_config}} on the '''server'''.<br />
<br />
<br />
* Enable the '''ForwardX11''' option in {{Filename|ssh_config}} on the '''client'''.<br />
<br />
To use the forwarding, log on to your server through ssh:<br />
# ssh -X -p port user@server-address<br />
If you receive errors trying to run graphical applications try trusted forwarding instead:<br />
# ssh -Y -p port user@server-address<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
# xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
$ xhost +<br />
<br />
the above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. Type "man xhost" for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. Firefox is an example. Either close running Firefox or use the following start parameter to start a remote instance on the local machine<br />
$ firefox -no-remote<br />
<br />
== Speed up SSH ==<br />
You can make all sessions to the same host use a single connection, which will greatly speed up subsequent logins, by adding those line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
Changing the ciphers used by SSH to less cpu-demanding ones can improve speed. In this aspect, the best choices are arcfour and blowfish-cbc. '''Please do not do this unless you know what you are doing; arcfour has a number of known weaknesses'''. To use them, run SSH with the {{Codeline|"c"}} flag, like this:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
To use them permanently, add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Another option to improve speed is to enable compression with the {{Codeline|"C"}} flag. A permanent solution is to add this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
Login time can be shorten by using the {{Codeline|"4"}} flag, which bypasses IPv6 lookup. This can be made permanent by adding this line under the proper host in {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Another way of making these changes permanent is to create an alias in {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
<br />
=== Trouble Shooting ===<br />
<br />
make sure your DISPLAY string is resolveable on the remote end:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
can be fixed by adding localhost to {{Filename|/etc/hosts}}.<br />
<br />
== Mounting a Remote Filesystem with SSHFS ==<br />
<br />
Install sshfs<br />
# pacman -S sshfs<br />
<br />
Load the Fuse module<br />
# modprobe fuse<br />
Add fuse to the ''modules'' array in {{Filename|/etc/rc.conf}} to load it on each system boot.<br />
<br />
Mount the remote folder using sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
The command above will cause the folder /tmp on the remote server to be mounted as ~/remote_folder on the local machine. Copying any file to this folder will result in transparent copying over the network using SFTP. Same concerns direct file editing, creating or removing.<br />
<br />
When we’re done working with the remote filesystem, we can unmount the remote folder by issuing:<br />
# fusermount -u ~/remote_folder<br />
<br />
If we work on this folder on a daily basis, it is wise to add it to the {{Filename|/etc/fstab}} table. This way is can be automatically mounted upon system boot or mounted manually (if {{Codeline|noauto}} option is chosen) without the need to specify the remote location each time. Here is a sample entry in the table:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
== Keep Alive ==<br />
<br />
Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to {{Filename|~/.ssh/config}} or to {{Filename|/etc/ssh/ssh_config}} on the client.<br />
<br />
ServerAliveInterval 120<br />
<br />
This will send a "keep alive" signal to the server every 120 seconds.<br />
<br />
Conversely, to keep incoming connections alive, you can set<br />
<br />
ClientAliveInterval 120<br />
<br />
(or some other number greater than 0) in {{Filename|/etc/ssh/sshd_config}} on the server.<br />
<br />
== Save connection data in .ssh/config ==<br />
<br />
Whenever you want to connect to a server, you usually have to type at least its address and your username. To save that typing work for servers you regularly connect to, you can use the {{Filename|$HOME/.ssh/config}} file as shown in the following example:<br />
<br />
{{File|name=$HOME/.ssh/config|content=<br />
<br />
Host myserver<br />
HostName 123.123.123.123<br />
Port 12345<br />
User bob<br />
Host other_server<br />
HostName test.something.org<br />
User alice<br />
CheckHostIP no<br />
Cipher blowfish<br />
}}<br />
<br />
Now you can simply connect to the server by using the name you specified:<br />
<br />
$ ssh myserver<br />
<br />
To see a complete list of the possible options, check out ssh_config's manpage on your system or the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config ssh_config documentation] on the official website.<br />
<br />
= Troubleshooting =<br />
<br />
== Connection Refused Problem ==<br />
<br />
=== Is SSH running and listening? ===<br />
<br />
netstat -tnlp | grep ssh<br />
<br />
If the above command doesn't display anything, then SSH is NOT running. Check <code>/var/log/messages</code> for errors etc.<br />
<br />
=== Are there firewall rules blocking the connection? ===<br />
<br />
Flush your iptables rules to make sure they are not interfering:<br />
<br />
/etc/rc.d/iptables stop<br />
<br />
or:<br />
<br />
iptables -P INPUT ACCEPT<br />
iptables -P OUTPUT ACCEPT<br />
iptables -F INPUT<br />
iptables -F OUTPUT<br />
<br />
=== Have you allowed SSH in hosts.allow? ===<br />
<br />
Double check you have done [[#Allowing_others_in|this section]] correctly.<br />
<br />
=== Is the traffic even getting to your computer? ===<br />
<br />
Start a traffic dump on the computer you're having problems with:<br />
<br />
tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you don't see any output when you attempt to connect, then something outside of your computer is blocking the traffic (eg, hardware firewall, NAT router etc)<br />
<br />
= See Also =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://webssh.cz.cc Using your browser as SSH client]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=OpenSSH_(Espa%C3%B1ol)&diff=135462OpenSSH (Español)2011-03-31T18:43:13Z<p>Sironitomas: /* Ver también */</p>
<hr />
<div>[[Category:Español]]<br />
{{i18n|SSH}}<br />
<br />
'''S'''ecure '''Sh'''ell o '''SSH''' es un protocolo de red que permite el intercambio de datos sobre un canal seguro entre dos computadoras. SSH usa técnicas de cifrado que hacen que la información que viaja por el medio de comunicación vaya de manera no legible y ninguna tercera persona pueda descubrir el usuario y contraseña de la conexión ni lo que se escribe durante toda la sesión. SSH usa criptografía de clave pública para autenticar el equipo remoto y permitir al mismo autenticar al usuario si es necesario.<br />
<br />
Además de la conexión a otros dispositivos, SSH nos permite copiar datos de forma segura (tanto ficheros sueltos como simular sesiones FTP cifradas), gestionar claves RSA para no escribir claves al conectar a los dispositivos y pasar los datos de cualquier otra aplicación por un canal seguro tunelizado mediante SSH.<br />
<br />
Un servidor SSH, por defecto, escucha el puerto TCP 22. Un programa cliente de SSH es utilizado generalmente para establecer conexiones a un demonio ''sshd'' que acepta conexiones remotas. Ambos se encuentran comúnmente en los sistemas operativos más modernos, incluyendo Mac OS X, Linux, Solaris y OpenVMS. Existen versiones propietarias, freeware y open-source de varios niveles de complejidad y exhaustividad.<br />
<br />
(Source: [[Wikipedia:Secure Shell]])<br />
<br />
= OpenSSH =<br />
<br />
OpenSSH (OpenBSD Secure Shell) es un conjunto de programas de computadora que proveen una sesión de comunicación encriptada en una red informática que utiliza el protocolo SSH. Fue creado como una alternativa de código abierto al software propietario ofrecido por by SSH Communications Security. OpenSSH es desarrollado como parte del proyecto OpenBSD, que está a cargo de Theo de Raadt.<br />
<br />
OpenSSH es confundido a veces con OpenSSL por la similitud de nombre, sin embargo, los proyectos tienen objetivos distintos y están desarrollados por equipos diferentes.<br />
<br />
== Instalando OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configurando SSH ==<br />
===Cliente===<br />
El archivo de configuración del cliente SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh_config}}<br />
<br />
Un ejemplo de configuración: <br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
Se recomiendo cambiar la linea Protocol a esta<br />
Protocol 2<br />
<br />
Quiere decir que solo se utilizará Protocol 2 , ya que Protocol 1 es considerado un tanto inseguro.<br />
<br />
===Demonio(daemon)===<br />
El archivo de configuración del demonio SSH se pueden encontrar y editar en {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
Un ejemplo de confuguración: <br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
Para permitir el acceso sólo a algunos usuarios añadir esta línea:<br />
AllowUsers user1 user2<br />
<br />
Es posible que desee cambiar algunas líneas para que se vieran de la siguiente manera:<br />
<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
También puede descomentar la opción BANNER y editar {{Filename|/etc/issue}} para un mensaje de bienvenida agradable.<br />
<br />
{{Tip| Es posible que desee cambiar el puerto por defecto de 22 a cualquier puerto superior (ver [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
A pesar de que el puerto ssh que esta siendo ejecutado puede ser detectado utilizando un port-scanner o escáner de puertos como nmap, cambiarlo reducirá el número de intentos de autenticación causados por intentos de autificación automáticos. <br />
<br />
===Restringiendo el acceso===<br />
{{Box Note | Tienes que ajustar este archivo para conectarse remotamente a la máquina ya que está vacío de forma predeterminada}}<br />
<br />
Para permitir a otra gente entrar a tu equipo necesitas realizar unos cambios a {{Filename|/etc/hosts.allow}}, añadiendo lo siguiente:<br />
<br />
<pre><br />
# que todo el mundo pueda conectarse<br />
sshd: ALL<br />
<br />
# O restringirlo a una cierta IP<br />
sshd: 192.168.0.1<br />
<br />
# O restringirlo a un rago de IPs<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# O restringir una coincidencia IP<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Ahora deberías revisar tu {{Filename|/etc/hosts.deny}} para la siguiente línea y asegurarte de que tega este aspecto:<br />
ALL: ALL<br />
<br />
Eso es todo. Puedes conectarte mediante SSH hacia algun equipo asi como tambien permitir a otros conectarse a tu equipo :).<br />
<br />
Para comenzar a usar la nueva configuración, reinicia el demonio (como root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Gestion del Demonio SSHD ==<br />
Just add sshd to the "DAEMONS" section of your {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
To start/restart/stop the daemon, use the following:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Conectandose a el servidor==<br />
Para conectarse a un servidor, ejecuta:<br />
$ ssh -p port user@server-address<br />
<br />
= Trucos y sugerencias =<br />
<br />
== Túneles cifrados ==<br />
Este tipo de conexión es muy útil para usuarios de equipos portátiles conectados a varias conexiones inalámbricas no seguras. Lo unico que necesitas es un servidor SSH corriendo en algún lugar seguro, como tu casa o tu trabajo. Puede ser útil usar un servicio de DNS dinámico como DynDNS para no tener que recordar la dirección IP a la que desea conectarse..<br />
<br />
=== Paso 1: Iniciar la conexión ===<br />
Lo único que tienes que hacer es ejecutar este comando en tu terminal favorita para iniciar la conexión:<br />
$ ssh -ND 4711 user@host<br />
donde {{Codeline|"user"}} es tu nombre de usuario en el servidor SSH que se está ejecutando en el {{Codeline|"host"}}. Preguntará por tu contraseña, y luego estarás conectado! La {{Codeline|"N"}} flag desactiva el prompt interactivo, y la D {{Codeline|"D"}} especifica el puerto local en el cual escuchar (puedes elegir el numero de puerto que quieras).<br />
<br />
Una forma de hacer esto facilmente es agregar un alias en tu archivo {{Filename|~/.bashrc}} como lo siguiente:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
<br />
=== Paso 2: Configurar tu navegador (u otros programas) ===<br />
<br />
El paso anterior es inútil si no configura el navegador web (u otros programas) para su uso con el túnel que acaba de crear. Debido a que la version actual de SSH soporta SOCKS4 y SOCKS5, se puede usar cualquiera de ellos.<br />
<br />
* Para Firefox: ''Editar &rarr; Preferencias &rarr; Avanzadas &rarr; Red &rarr; Conexión &rarr; Configuración'':<br />
: Marca la casilla ''"configuración manual de proxy"'' , y escribe "localhost" en el campo ''"servidor SOCKS "'' , y luego escribe tu número de puerto en el siguiente campo de texto.<br />
<br />
* Para Chromium: Se deben setear las configuraciones de SOCKS como variables de entorno. Es recomendable agregar las siguientes lineas a .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
<br />
Ahora solo queda abrir una terminal y escribir:<br />
$ secure_chromium<br />
<br />
Listo. Disfruta tu tunel seguro!<br />
<br />
== X11 Forwarding ==<br />
<br />
Para ejecutar programas gráficos a través de una conexión SSH puedes habilitarX11 forwarding. Esta opción deber ser especificada en el archivo de configuración del servidor y del cliente (entiéndase "cliente" como su equipo en el cual su servidor X11 es ejecutado, y correras aplicaciones X en el "servidor").<br />
<br />
Instalar xorg-xauth en el servidor:<br />
# pacman -S xorg-xauth<br />
<br />
* Habilitar la opción '''AllowTcpForwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11Forwarding''' en {{Filename|sshd_config}} en el '''server'''.<br />
* Habilitar la opción '''X11DisplayOffset''' en {{Filename|sshd_config}} en el '''server''' to 10.<br />
* Habilitar la opción '''X11UseLocalhost''' en {{Filename|sshd_config}} en el '''server'''.<br />
<br />
<br />
* Habilitar la opción '''ForwardX11''' en {{Filename|ssh_config}} en el '''client'''.<br />
<br />
Para usar el forwarding, acceder al servidor a través de ssh:<br />
# ssh -X -p port user@server-address<br />
Si recibes errores intentando ejecutar aplicaciones gráficas prueba con trusted forwarding :<br />
# ssh -Y -p port user@server-address<br />
Ahora puedes iniciar cualquier aplicacion X en el servidor remoto, la salida será enviada a tu sesión local:<br />
# xclock<br />
<br />
== Acelerando SSH ==<br />
Al cambiar los valores utilizados por SSH a una menor demanda de recursos puede aumentar la velocidad de la CPU. En este aspecto, las mejores opciones son arcfour y blowfish-cbc. Para usarlas ejecuta SSH con el sufijo {{Codeline|"c"}} , de la siguiente manera:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
Para usarlo de forma permanente agrega esta línea bajo el abajo del host adecuado en {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Otra opción para mejorar la velocidad es habilitar la compresión con el sufijo {{Codeline|"C"}} . Una solución permanente es agregar esta linea debajo del host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
El tiempo de inicio de sesión puede ser acortado usando el sufijo {{Codeline|"4"}},que saltea la búsqueda IPv6. Esto puede hacerse permanente añadiendo esta línea bajo el host correcto en {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Otra forma de hacer permanentes los cambios es crear un alias en {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
Por último, puedes hacer todas las sesiones con el mismo servidor utilizando una sola conexión, lo que agiliza el inicio de sesión posterior, añadiendo estas líneas a un host apropiado en {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
=== Solucionando problemas ===<br />
<br />
Asegurate de que la cadena DISPLAY apunte al servidor remoto:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
puede ser solucionado agregando localhost a {{Filename|/etc/hosts}}.<br />
<br />
== Montando un Sistema de archivos Remoto con SSHFS ==<br />
<br />
Instalando sshfs<br />
# pacman -S sshfs<br />
<br />
Cargar el módulo Fuse<br />
# modprobe fuse<br />
Agrega fuse a la cadena ''modules'' en {{Filename|/etc/rc.conf}} para ejecutarlo en cada inicio del sistema.<br />
<br />
Montar la carpeta remota usando sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
El comando anterior hará que la carpeta /tmp en el servidor remoto sea montada como ~/carpeta_remota en la maquina local. La copia de cualquier archivo en esta carpeta dará lugar a una copia transparente sobre la red red utilizando SFTP. La misma se refiere también a la edición directa de archivos, la creación o eliminación.<br />
<br />
Una vez finalizado el trabajo con el sistema de archivos remoto, podemos desmontar la carpeta remota mediante el siguiente comando:<br />
# fusermount -u ~/remote_folder<br />
<br />
Si trabajamos con esta carpeta a diario, es recomendable agregarlo a la tabla {{Filename|/etc/fstab}} . De esta forma se puede montar de forma automática en el arranque o manualmente (si se elige la opción {{Codeline|noauto}}), sin la necesidad de especificar la ubicación remota en todo momento. Aquí hay una entrada de ejemplo en la tabla:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
=== Mantener vivo ===<br />
<br />
Tu sesion ssh sera automáticamente desconectada si ésta se encuentra inactiva. Para mantener activa la conexión agrega esto a {{Filename|~/.ssh/config}} o a {{Filename|/etc/ssh/ssh_config}} en el cliente.<br />
<br />
ServerAliveInterval 5<br />
<br />
Esto enviará la señal "mantener vivo" al servidor cada 5 segundos. Usualmente puedes incrementar este intervalo, y usar 120.<br />
<br />
= Ver también =<br />
*[[Using SSH Keys]]<br />
*[[Pam_abl]]<br />
<br />
= Links & References =<br />
*[http://www.soloport.com/iptables.html A Cure for the Common SSH Login Attack]<br />
*[http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135415Arch boot process (Español)2011-03-31T04:59:40Z<p>Sironitomas: </p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch, los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, en lugar del común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar configuraciones parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las diferencias entre los estilos SysV y BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preestablecido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] que luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux o Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen del kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en bajo nivel (''kernelspace'') interactuando entre el hardware y los programas ejecutandose. Para hacer un uso eficiente del CPU, el kernel usa un planificador para decidir cuales tareas tienen mayor prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente (multitasking).<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de llevar al sistema a un punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno requiera usar después. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
Una vision aproximada de sus tareas:<br />
* Toma el script {{Filename|/etc/rc.conf}}<br />
* Toma el script {{Filename|/etc/rc.d/functions}}<br />
* Muestra un mensaje de bienvenida<br />
* Monta varios sistemas de archivos virtuales<br />
* Crea falsos archivos de dispositivo<br />
* Inicia [[minilogd]]<br />
* Muestra salida de [[dmesg]]<br />
* Configura el reloj de hardware<br />
* Borra el archivo {{Filename|/proc/sys/kernel/hotplug}}<br />
* Inicia [[udev]] y chequea eventos de udev<br />
* Inicia la interfaz [[loopback]]<br />
* Carga modulos del arreglo {{Codeline|MODULES}} definido en [[rc.conf]]<br />
* Configura mapeo de sistemas de archivos RAID y encriptados<br />
* Ejecuta un chequeo forzado de particiones ([[fsck]]) en el archivo [[fstab|/etc/fstab]] contiene instrucciones para hacerlo<br />
* Monta particiones locales y swap (unidades de red no son montadas hasta que se inicia la red)<br />
* Activa areas [[swap]]<br />
* Setea el nombre del equipo, localizacion y reloh del sistema como se define en {{Filename|rc.conf}}<br />
* Elimina varios archivos temporales, como {{Filename|/tmp/*}}<br />
* Configura el [[locale]], la consola y el mapeo del teclado<br />
* Setea la fuente de consola<br />
* Escribe salida de dmseg a {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus orígenes (por ejemplo lecturas de variables y funciones) [[rc.conf]] para configuraciones y {{Filename|/etc/rc.d/functions}} para funciones que producen la salida gráfica (colores, alineación, , etc.) No hay necesidad de editar este archivo, aunque algunos puede ser que lo deseen para mejorar tiempos de arranque.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
El modo de único usuario arrancara el sistema directamente en la cuenta de usuario root y debe ser usado si uno no puede arrancar el sistema normalmente. Este script asegura que no hay demonios ejecutándose excepto por los mínimos requeridos (syslog-ng y udev). El modo de único usuario es útil para hacer una recuperación del sistema donde se previene que usuarios remotos que hagan cualquier cosa que pueda causar perdida de datos o dano. En este modo, los usuarios pueden continuar con el arranque estándar (multi-usuario) escribiendo exit en la consola.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135414Arch boot process (Español)2011-03-31T04:59:07Z<p>Sironitomas: /* {{Filename|/etc/rc.single}} */</p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch, los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, en lugar del común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar configuraciones parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las diferencias entre los estilos SysV y BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preestablecido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] que luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux o Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen del kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en bajo nivel (''kernelspace'') interactuando entre el hardware y los programas ejecutandose. Para hacer un uso eficiente del CPU, el kernel usa un planificador para decidir cuales tareas tienen mayor prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente (multitasking).<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de llevar al sistema a un punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno requiera usar después. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
Una vision aproximada de sus tareas:<br />
* Toma el script {{Filename|/etc/rc.conf}}<br />
* Toma el script {{Filename|/etc/rc.d/functions}}<br />
* Muestra un mensaje de bienvenida<br />
* Monta varios sistemas de archivos virtuales<br />
* Crea falsos archivos de dispositivo<br />
* Inicia [[minilogd]]<br />
* Muestra salida de [[dmesg]]<br />
* Configura el reloj de hardware<br />
* Borra el archivo {{Filename|/proc/sys/kernel/hotplug}}<br />
* Inicia [[udev]] y chequea eventos de udev<br />
* Inicia la interfaz [[loopback]]<br />
* Carga modulos del arreglo {{Codeline|MODULES}} definido en [[rc.conf]]<br />
* Configura mapeo de sistemas de archivos RAID y encriptados<br />
* Ejecuta un chequeo forzado de particiones ([[fsck]]) en el archivo [[fstab|/etc/fstab]] contiene instrucciones para hacerlo<br />
* Monta particiones locales y swap (unidades de red no son montadas hasta que se inicia la red)<br />
* Activa areas [[swap]]<br />
* Setea el nombre del equipo, localizacion y reloh del sistema como se define en {{Filename|rc.conf}}<br />
* Elimina varios archivos temporales, como {{Filename|/tmp/*}}<br />
* Configura el [[locale]], la consola y el mapeo del teclado<br />
* Setea la fuente de consola<br />
* Escribe salida de dmseg a {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus orígenes (por ejemplo lecturas de variables y funciones) [[rc.conf]] para configuraciones y {{Filename|/etc/rc.d/functions}} para funciones que producen la salida gráfica (colores, alineación, , etc.) No hay necesidad de editar este archivo, aunque algunos puede ser que lo deseen para mejorar tiempos de arranque.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
<br />
El modo de único usuario arrancara el sistema directamente en la cuenta de usuario root y debe ser usado si uno no puede arrancar el sistema normalmente. Este script asegura que no hay demonios ejecutándose excepto por los mínimos requeridos (syslog-ng y udev). El modo de único usuario es útil para hacer una recuperación del sistema donde se previene que usuarios remotos que hagan cualquier cosa que pueda causar perdida de datos o dano. En este modo, los usuarios pueden continuar con el arranque estándar (multi-usuario) escribiendo exit en la consola.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135413Arch boot process (Español)2011-03-31T04:58:35Z<p>Sironitomas: /* Antes de init */</p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch, los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, en lugar del común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar configuraciones parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las diferencias entre los estilos SysV y BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preestablecido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] que luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux o Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen del kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en bajo nivel (''kernelspace'') interactuando entre el hardware y los programas ejecutandose. Para hacer un uso eficiente del CPU, el kernel usa un planificador para decidir cuales tareas tienen mayor prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente (multitasking).<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de llevar al sistema a un punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno requiera usar después. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
Una vision aproximada de sus tareas:<br />
* Toma el script {{Filename|/etc/rc.conf}}<br />
* Toma el script {{Filename|/etc/rc.d/functions}}<br />
* Muestra un mensaje de bienvenida<br />
* Monta varios sistemas de archivos virtuales<br />
* Crea falsos archivos de dispositivo<br />
* Inicia [[minilogd]]<br />
* Muestra salida de [[dmesg]]<br />
* Configura el reloj de hardware<br />
* Borra el archivo {{Filename|/proc/sys/kernel/hotplug}}<br />
* Inicia [[udev]] y chequea eventos de udev<br />
* Inicia la interfaz [[loopback]]<br />
* Carga modulos del arreglo {{Codeline|MODULES}} definido en [[rc.conf]]<br />
* Configura mapeo de sistemas de archivos RAID y encriptados<br />
* Ejecuta un chequeo forzado de particiones ([[fsck]]) en el archivo [[fstab|/etc/fstab]] contiene instrucciones para hacerlo<br />
* Monta particiones locales y swap (unidades de red no son montadas hasta que se inicia la red)<br />
* Activa areas [[swap]]<br />
* Setea el nombre del equipo, localizacion y reloh del sistema como se define en {{Filename|rc.conf}}<br />
* Elimina varios archivos temporales, como {{Filename|/tmp/*}}<br />
* Configura el [[locale]], la consola y el mapeo del teclado<br />
* Setea la fuente de consola<br />
* Escribe salida de dmseg a {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus orígenes (por ejemplo lecturas de variables y funciones) [[rc.conf]] para configuraciones y {{Filename|/etc/rc.d/functions}} para funciones que producen la salida gráfica (colores, alineación, , etc.) No hay necesidad de editar este archivo, aunque algunos puede ser que lo deseen para mejorar tiempos de arranque.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
<br />
El modo de único usuario arrancara el sistema directamente en la cuenta de usuario root y debe ser usado si uno no puede arrancar el sistema normalmente. Este script asegura que no hay demonios ejecutándose excepto por los mínimos requeridos (syslog-ng y udev). El modo de único usuario es útil para hacer una recuperación del sistema donde se previene que usuarios remotos que hagan cualquier cosa que pueda causar perdida de datos o dano. En este modo, los usuarios pueden continuar con el arranque estándar (multi-usuario) escribiendo exit en la consola.<br />
<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135412Arch boot process (Español)2011-03-31T04:55:37Z<p>Sironitomas: Undo revision 135411 by Sironitomas (talk)</p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch, los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, en lugar del común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar configuraciones parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las diferencias entre los estilos SysV y BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preestablecido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] que luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux o Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen del kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en bajo nivel (''kernelspace'') interactuando entre el hardware y los programas ejecutandose. Para hacer un uso eficiente del CPU, el kernel usa un planificador para decidir cuales tareas tienen mayor prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente (multitasking).<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de llevar al sistema a un punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno requiera usar después. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
Una vision aproximada de sus tareas:<br />
* Toma el script {{Filename|/etc/rc.conf}}<br />
* Toma el script {{Filename|/etc/rc.d/functions}}<br />
* Muestra un mensaje de bienvenida<br />
* Monta varios sistemas de archivos virtuales<br />
* Crea falsos archivos de dispositivo<br />
* Inicia [[minilogd]]<br />
* Muestra salida de [[dmesg]]<br />
* Configura el reloj de hardware<br />
* Borra el archivo {{Filename|/proc/sys/kernel/hotplug}}<br />
* Inicia [[udev]] y chequea eventos de udev<br />
* Inicia la interfaz [[loopback]]<br />
* Carga modulos del arreglo {{Codeline|MODULES}} definido en [[rc.conf]]<br />
* Configura mapeo de sistemas de archivos RAID y encriptados<br />
* Ejecuta un chequeo forzado de particiones ([[fsck]]) en el archivo [[fstab|/etc/fstab]] contiene instrucciones para hacerlo<br />
* Monta particiones locales y swap (unidades de red no son montadas hasta que se inicia la red)<br />
* Activa areas [[swap]]<br />
* Setea el nombre del equipo, localizacion y reloh del sistema como se define en {{Filename|rc.conf}}<br />
* Elimina varios archivos temporales, como {{Filename|/tmp/*}}<br />
* Configura el [[locale]], la consola y el mapeo del teclado<br />
* Setea la fuente de consola<br />
* Escribe salida de dmseg a {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus orígenes (por ejemplo lecturas de variables y funciones) [[rc.conf]] para configuraciones y {{Filename|/etc/rc.d/functions}} para funciones que producen la salida gráfica (colores, alineación, , etc.) No hay necesidad de editar este archivo, aunque algunos puede ser que lo deseen para mejorar tiempos de arranque.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
<br />
El modo de único usuario arrancara el sistema directamente en la cuenta de usuario root y debe ser usado si uno no puede arrancar el sistema normalmente. Este script asegura que no hay demonios ejecutándose excepto por los mínimos requeridos (syslog-ng y udev). El modo de único usuario es útil para hacer una recuperación del sistema donde se previene que usuarios remotos que hagan cualquier cosa que pueda causar perdida de datos o dano. En este modo, los usuarios pueden continuar con el arranque estándar (multi-usuario) escribiendo exit en la consola.<br />
<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135411Arch boot process (Español)2011-03-31T04:54:29Z<p>Sironitomas: </p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{es|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch, los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, en lugar del común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[es|Adding Runlevels]] para poder agregar configuraciones parecidas a SysV en Arch. Ver [[es|Wikipedia:init]] para mas información en las diferencias entre los estilos SysV y BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preestablecido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] que luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux o Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen del kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en bajo nivel (''kernelspace'') interactuando entre el hardware y los programas ejecutandose. Para hacer un uso eficiente del CPU, el kernel usa un planificador para decidir cuales tareas tienen mayor prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente (multitasking).<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de llevar al sistema a un punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno requiera usar después. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
Una vision aproximada de sus tareas:<br />
* Toma el script {{Filename|/etc/rc.conf}}<br />
* Toma el script {{Filename|/etc/rc.d/functions}}<br />
* Muestra un mensaje de bienvenida<br />
* Monta varios sistemas de archivos virtuales<br />
* Crea falsos archivos de dispositivo<br />
* Inicia [[minilogd]]<br />
* Muestra salida de [[dmesg]]<br />
* Configura el reloj de hardware<br />
* Borra el archivo {{Filename|/proc/sys/kernel/hotplug}}<br />
* Inicia [[udev]] y chequea eventos de udev<br />
* Inicia la interfaz [[loopback]]<br />
* Carga modulos del arreglo {{Codeline|MODULES}} definido en [[rc.conf]]<br />
* Configura mapeo de sistemas de archivos RAID y encriptados<br />
* Ejecuta un chequeo forzado de particiones ([[fsck]]) en el archivo [[fstab|/etc/fstab]] contiene instrucciones para hacerlo<br />
* Monta particiones locales y swap (unidades de red no son montadas hasta que se inicia la red)<br />
* Activa areas [[swap]]<br />
* Setea el nombre del equipo, localizacion y reloh del sistema como se define en {{Filename|rc.conf}}<br />
* Elimina varios archivos temporales, como {{Filename|/tmp/*}}<br />
* Configura el [[locale]], la consola y el mapeo del teclado<br />
* Setea la fuente de consola<br />
* Escribe salida de dmseg a {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus orígenes (por ejemplo lecturas de variables y funciones) [[rc.conf]] para configuraciones y {{Filename|/etc/rc.d/functions}} para funciones que producen la salida gráfica (colores, alineación, , etc.) No hay necesidad de editar este archivo, aunque algunos puede ser que lo deseen para mejorar tiempos de arranque.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
<br />
El modo de único usuario arrancara el sistema directamente en la cuenta de usuario root y debe ser usado si uno no puede arrancar el sistema normalmente. Este script asegura que no hay demonios ejecutándose excepto por los mínimos requeridos (syslog-ng y udev). El modo de único usuario es útil para hacer una recuperación del sistema donde se previene que usuarios remotos que hagan cualquier cosa que pueda causar perdida de datos o dano. En este modo, los usuarios pueden continuar con el arranque estándar (multi-usuario) escribiendo exit en la consola.<br />
<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135410Arch boot process (Español)2011-03-31T04:51:41Z<p>Sironitomas: /* init: Los scripts de arranque de Arch */</p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch, los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, en lugar del común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar configuraciones parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las diferencias entre los estilos SysV y BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preestablecido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] que luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux o Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen del kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en bajo nivel (''kernelspace'') interactuando entre el hardware y los programas ejecutandose. Para hacer un uso eficiente del CPU, el kernel usa un planificador para decidir cuales tareas tienen mayor prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente (multitasking).<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de llevar al sistema a un punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno requiera usar después. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
Una vision aproximada de sus tareas:<br />
* Toma el script {{Filename|/etc/rc.conf}}<br />
* Toma el script {{Filename|/etc/rc.d/functions}}<br />
* Muestra un mensaje de bienvenida<br />
* Monta varios sistemas de archivos virtuales<br />
* Crea falsos archivos de dispositivo<br />
* Inicia [[minilogd]]<br />
* Muestra salida de [[dmesg]]<br />
* Configura el reloj de hardware<br />
* Borra el archivo {{Filename|/proc/sys/kernel/hotplug}}<br />
* Inicia [[udev]] y chequea eventos de udev<br />
* Inicia la interfaz [[loopback]]<br />
* Carga modulos del arreglo {{Codeline|MODULES}} definido en [[rc.conf]]<br />
* Configura mapeo de sistemas de archivos RAID y encriptados<br />
* Ejecuta un chequeo forzado de particiones ([[fsck]]) en el archivo [[fstab|/etc/fstab]] contiene instrucciones para hacerlo<br />
* Monta particiones locales y swap (unidades de red no son montadas hasta que se inicia la red)<br />
* Activa areas [[swap]]<br />
* Setea el nombre del equipo, localizacion y reloh del sistema como se define en {{Filename|rc.conf}}<br />
* Elimina varios archivos temporales, como {{Filename|/tmp/*}}<br />
* Configura el [[locale]], la consola y el mapeo del teclado<br />
* Setea la fuente de consola<br />
* Escribe salida de dmseg a {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus orígenes (por ejemplo lecturas de variables y funciones) [[rc.conf]] para configuraciones y {{Filename|/etc/rc.d/functions}} para funciones que producen la salida gráfica (colores, alineación, , etc.) No hay necesidad de editar este archivo, aunque algunos puede ser que lo deseen para mejorar tiempos de arranque.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
<br />
El modo de único usuario arrancara el sistema directamente en la cuenta de usuario root y debe ser usado si uno no puede arrancar el sistema normalmente. Este script asegura que no hay demonios ejecutándose excepto por los mínimos requeridos (syslog-ng y udev). El modo de único usuario es útil para hacer una recuperación del sistema donde se previene que usuarios remotos que hagan cualquier cosa que pueda causar perdida de datos o dano. En este modo, los usuarios pueden continuar con el arranque estándar (multi-usuario) escribiendo exit en la consola.<br />
<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135409Arch boot process (Español)2011-03-31T04:42:29Z<p>Sironitomas: /* init: Los scripts de arranque de Arch */</p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch, los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, en lugar del común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar configuraciones parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las diferencias entre los estilos SysV y BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preestablecido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] que luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux o Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen del kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en bajo nivel (''kernelspace'') interactuando entre el hardware y los programas ejecutandose. Para hacer un uso eficiente del CPU, el kernel usa un planificador para decidir cuales tareas tienen mayor prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente (multitasking).<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de llevar al sistema a un punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno requiera usar después. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
Una vision aproximada de sus tareas:<br />
* Toma el script {{Filename|/etc/rc.conf}}<br />
* Toma el script {{Filename|/etc/rc.d/functions}}<br />
* Muestra un mensaje de bienvenida<br />
* Monta varios sistemas de archivos virtuales<br />
* Crea falsos archivos de dispositivo<br />
* Inicia [[minilogd]]<br />
* Muestra salida de [[dmesg]]<br />
* Configura el reloj de hardware<br />
* Borra el archivo {{Filename|/proc/sys/kernel/hotplug}}<br />
* Inicia [[udev]] y chequea eventos de udev<br />
* Inicia la interfaz [[loopback]]<br />
* Carga modulos del arreglo {{Codeline|MODULES}} definido en [[rc.conf]]<br />
* Configura mapeo de sistemas de archivos RAID y encriptados<br />
* Ejecuta un chequeo forzado de particiones ([[fsck]]) en el archivo [[fstab|/etc/fstab]] contiene instrucciones para hacerlo<br />
* Monta particiones locales y swap (unidades de red no son montadas hasta que se inicia la red)<br />
* Activa areas [[swap]]<br />
* Setea el nombre del equipo, localizacion y reloh del sistema como se define en {{Filename|rc.conf}}<br />
* Elimina varios archivos temporales, como {{Filename|/tmp/*}}<br />
* Configura el [[locale]], la consola y el mapeo del teclado<br />
* Setea la fuente de consola<br />
* Escribe salida de dmseg a {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus origenes () is a script and not a place for settings. It sources (i.e. reads and inherits variables and functions) [[rc.conf]] for settings and {{Filename|/etc/rc.d/functions}} for the functions that produce its graphical output (nice colors, alignments, switching 'busy' to 'done', etc.) There is no particular need to edit this file, although some may wish to do so in order to speed up the boot process.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
<br />
Single-user mode will boot straight into the root user account and should only be used if one cannot boot normally. This script ensures no daemons are running except for the bare minimum: syslog-ng and udev. The single-user mode is useful for system recovery where preventing remote users from doing anything that might cause data loss or damage is necessary. In single-user mode, users can continue with the standard (multi-user) boot by entering 'exit' at the prompt.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135408Arch boot process (Español)2011-03-31T04:41:39Z<p>Sironitomas: </p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch, los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, en lugar del común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar configuraciones parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las diferencias entre los estilos SysV y BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preestablecido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] que luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux o Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen del kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en bajo nivel (''kernelspace'') interactuando entre el hardware y los programas ejecutandose. Para hacer un uso eficiente del CPU, el kernel usa un planificador para decidir cuales tareas tienen mayor prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente (multitasking).<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de llevar al sistema a un punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno requiera usar después. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
Una vision aproximada de sus tareas:<br />
* Toma el script {{Filename|/etc/rc.conf}}<br />
* Toma el script {{Filename|/etc/rc.d/functions}}<br />
* Muestra un mensaje de bienvenida<br />
* Monta varios sistemas de archivos virtuales<br />
* Crea falsos archivos de dispositivo<br />
* Inicia [[minilogd]]<br />
* Muestra salida de [[dmesg]]<br />
* Configura el reloj de hardware<br />
* Borra el archivo {{Filename|/proc/sys/kernel/hotplug}}<br />
* Inicia [[udev]] y chequea eventos de udev<br />
* Inicia la interfaz [[loopback]]<br />
* Carga modulos del arreglo {{Codeline|MODULES}} definido en [[rc.conf]]<br />
* Configura mapeo de sistemas de archivos RAID y encriptados<br />
* Ejecuta un chequeo forzado de particiones ([[fsck]]) en el archivo [[fstab|/etc/fstab]] contiene instrucciones para hacerlo<br />
* Monta particiones locales y swap (unidades de red no son montadas hasta que se inicia la red)<br />
* Activa areas [[swap]]<br />
* Setea el nombre del equipo, localizacion y reloh del sistema como se define en {{Filename|rc.conf}}<br />
* Elimina varios archivos temporales, como {{Filename|/tmp/*}}<br />
* Configura el [[locale]], la consola y el mapeo del teclado<br />
* Setea la fuente de consola<br />
* Escribe salida de dmseg a {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus origenes () is a script and not a place for settings. It sources (i.e. reads and inherits variables and functions) [[rc.conf]] for settings and {{Filename|/etc/rc.d/functions}} for the functions that produce its graphical output (nice colors, alignments, switching 'busy' to 'done', etc.) There is no particular need to edit this file, although some may wish to do so in order to speed up the boot process.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
<br />
<br />
Single-user mode will boot straight into the root user account and should only be used if one cannot boot normally. This script ensures no daemons are running except for the bare minimum: syslog-ng and udev. The single-user mode is useful for system recovery where preventing remote users from doing anything that might cause data loss or damage is necessary. In single-user mode, users can continue with the standard (multi-user) boot by entering 'exit' at the prompt.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135390Arch boot process (Español)2011-03-30T19:06:36Z<p>Sironitomas: </p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch, los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, en lugar del común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar configuraciones parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las diferencias entre los estilos SysV y BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preestablecido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] que luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux o Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen del kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en bajo nivel (''kernelspace'') interactuando entre el hardware y los programas ejecutandose. Para hacer un uso eficiente del CPU, el kernel usa un planificador para decidir cuales tareas tienen mayor prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente (multitasking).<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de llevar al sistema a un punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno requiera usar después. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
A rough overview of its tasks:<br />
* Sources the {{Filename|/etc/rc.conf}} script<br />
* Sources the {{Filename|/etc/rc.d/functions}} script<br />
* Displays a welcome message<br />
* Mounts various virtual file systems<br />
* Creates dummy device files<br />
* Starts [[minilogd]]<br />
* Outputs messages from [[dmesg]]<br />
* Configures the hardware clock<br />
* Empties the {{Filename|/proc/sys/kernel/hotplug}} file<br />
* Starts [[udev]] and checks for udev events <br />
* Starts the [[loopback]] interface<br />
* Loads modules from the {{Codeline|MODULES}} array defined in [[rc.conf]]<br />
* Configures RAID and encrypted filesystem mappings<br />
* Runs a forced check of partitions ([[fsck]]) if the [[fstab|/etc/fstab]] file contains instructions to do so<br />
* Mounts local partitions and swap (networked drives are not mounted before a network profile is up)<br />
* Activates [[swap]] areas<br />
* Sets the hostname, locale and system clock as defined in {{Filename|rc.conf}}<br />
* Removes various leftover/temporary files, such as {{Filename|/tmp/*}}<br />
* Configures the [[locale]], console and keyboard mappings<br />
* Sets the console font<br />
* Writes output from dmesg to {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus origenes () is a script and not a place for settings. It sources (i.e. reads and inherits variables and functions) [[rc.conf]] for settings and {{Filename|/etc/rc.d/functions}} for the functions that produce its graphical output (nice colors, alignments, switching 'busy' to 'done', etc.) There is no particular need to edit this file, although some may wish to do so in order to speed up the boot process.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
Single-user mode will boot straight into the root user account and should only be used if one cannot boot normally. This script ensures no daemons are running except for the bare minimum: syslog-ng and udev. The single-user mode is useful for system recovery where preventing remote users from doing anything that might cause data loss or damage is necessary. In single-user mode, users can continue with the standard (multi-user) boot by entering 'exit' at the prompt.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135310Arch boot process (Español)2011-03-30T03:51:28Z<p>Sironitomas: </p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch y los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, contrariamente al común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar algunas capacidades parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las distinciones entre el estilo SysV y el estilo BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preferido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] y luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux y Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen de kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en un nivel bajo (''kernelspace'') interactuando entre el hardware de la maquina, y los programas que usan el hardware para funcionar. Para hacer un uso eficiente del CPU, el kernel usa un planificador para arbitrar cuales tareas tienen prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente.<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de bootstrap el sistema a el punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno quiera usar. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} es un gran script de inicio que básicamente se hace cargo de toda la configuración de hardware y de la inicialización general de tareas. Este puede ser identificado por su primer tarea, imprimiendo las lineas:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
A rough overview of its tasks:<br />
* Sources the {{Filename|/etc/rc.conf}} script<br />
* Sources the {{Filename|/etc/rc.d/functions}} script<br />
* Displays a welcome message<br />
* Mounts various virtual file systems<br />
* Creates dummy device files<br />
* Starts [[minilogd]]<br />
* Outputs messages from [[dmesg]]<br />
* Configures the hardware clock<br />
* Empties the {{Filename|/proc/sys/kernel/hotplug}} file<br />
* Starts [[udev]] and checks for udev events <br />
* Starts the [[loopback]] interface<br />
* Loads modules from the {{Codeline|MODULES}} array defined in [[rc.conf]]<br />
* Configures RAID and encrypted filesystem mappings<br />
* Runs a forced check of partitions ([[fsck]]) if the [[fstab|/etc/fstab]] file contains instructions to do so<br />
* Mounts local partitions and swap (networked drives are not mounted before a network profile is up)<br />
* Activates [[swap]] areas<br />
* Sets the hostname, locale and system clock as defined in {{Filename|rc.conf}}<br />
* Removes various leftover/temporary files, such as {{Filename|/tmp/*}}<br />
* Configures the [[locale]], console and keyboard mappings<br />
* Sets the console font<br />
* Writes output from dmesg to {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} es un script y no un lugar para configuraciones. Sus origenes () is a script and not a place for settings. It sources (i.e. reads and inherits variables and functions) [[rc.conf]] for settings and {{Filename|/etc/rc.d/functions}} for the functions that produce its graphical output (nice colors, alignments, switching 'busy' to 'done', etc.) There is no particular need to edit this file, although some may wish to do so in order to speed up the boot process.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
Single-user mode will boot straight into the root user account and should only be used if one cannot boot normally. This script ensures no daemons are running except for the bare minimum: syslog-ng and udev. The single-user mode is useful for system recovery where preventing remote users from doing anything that might cause data loss or damage is necessary. In single-user mode, users can continue with the standard (multi-user) boot by entering 'exit' at the prompt.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135294Arch boot process (Español)2011-03-29T18:10:27Z<p>Sironitomas: </p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch y los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, contrariamente al común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar algunas capacidades parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las distinciones entre el estilo SysV y el estilo BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preferido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] y luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux y Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen de kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en un nivel bajo (''kernelspace'') interactuando entre el hardware de la maquina, y los programas que usan el hardware para funcionar. Para hacer un uso eficiente del CPU, el kernel usa un planificador para arbitrar cuales tareas tienen prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente.<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de bootstrap el sistema a el punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno quiera usar. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
El kernel luego busca el programa {{Codeline|init}} que reside en {{Filename|/sbin/init}}. {{Codeline|init}} se basa en {{Codeline|glibc}}, la biblioteca C GNU. Las bibliotecas son colecciones de rutinas de programa frecuentemente usadas y son ifentificables mediante la extension {{Filename|*.so}}. Estas son escenciales para la funcionalidad basica del sistema. Esta parte del proceso de arranque es llamada ''early userspace''.<br />
<br />
== init: Los scripts de arranque de Arch ==<br />
El principal proceso de arranque de Arch es iniciado por el programa {{Codeline|init}}, que llama a todos los demás procesos. El propósito de {{Codeline|init}} es el de brindad el sistema a un estado utilizable, usando los scripts de arranque para lograrlo. Como se menciono previamente, Arch usa scripts de arranque de estilo BSD. {{Codeline|init}} lee el archivo {{Codeline|/etc/inittab}}. Por defecto, {{Codeline|/etc/inittab}} empieza con lo siguiente:<br />
<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
<br />
...<br />
</nowiki>}}<br />
<br />
La primer linea no comentada define el nivel de ejecución del sistema por defecto (3). Cuando el kernel llama init:<br />
<br />
* Primero, el principal script de inicializacion es ejecutado, {{Filename|/etc/rc.sysinit}} (un script [[Bash]]).<br />
* Si se inicia en modo de usuario simple (nivel de ejecución 1 o S), el script {{Filename|/etc/rc.single}} sera ejecutado.<br />
* Si se inicia en cualquier otro nivel (2-5), se ejecuta en vez {{Filename|/etc/rc.multi}}.<br />
* El ultimo script ejecutado sera {{Filename|/etc/rc.local}} (mediante {{Filename|/etc/rc.multi}}), que esta vació por defecto.<br />
<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} is a huge startup script that basically takes care of all hardware configuration plus a number of general initialization tasks. It can be identified by its first task, printing the lines:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
A rough overview of its tasks:<br />
* Sources the {{Filename|/etc/rc.conf}} script<br />
* Sources the {{Filename|/etc/rc.d/functions}} script<br />
* Displays a welcome message<br />
* Mounts various virtual file systems<br />
* Creates dummy device files<br />
* Starts [[minilogd]]<br />
* Outputs messages from [[dmesg]]<br />
* Configures the hardware clock<br />
* Empties the {{Filename|/proc/sys/kernel/hotplug}} file<br />
* Starts [[udev]] and checks for udev events <br />
* Starts the [[loopback]] interface<br />
* Loads modules from the {{Codeline|MODULES}} array defined in [[rc.conf]]<br />
* Configures RAID and encrypted filesystem mappings<br />
* Runs a forced check of partitions ([[fsck]]) if the [[fstab|/etc/fstab]] file contains instructions to do so<br />
* Mounts local partitions and swap (networked drives are not mounted before a network profile is up)<br />
* Activates [[swap]] areas<br />
* Sets the hostname, locale and system clock as defined in {{Filename|rc.conf}}<br />
* Removes various leftover/temporary files, such as {{Filename|/tmp/*}}<br />
* Configures the [[locale]], console and keyboard mappings<br />
* Sets the console font<br />
* Writes output from dmesg to {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} is a script and not a place for settings. It sources (i.e. reads and inherits variables and functions) [[rc.conf]] for settings and {{Filename|/etc/rc.d/functions}} for the functions that produce its graphical output (nice colors, alignments, switching 'busy' to 'done', etc.) There is no particular need to edit this file, although some may wish to do so in order to speed up the boot process.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
Single-user mode will boot straight into the root user account and should only be used if one cannot boot normally. This script ensures no daemons are running except for the bare minimum: syslog-ng and udev. The single-user mode is useful for system recovery where preventing remote users from doing anything that might cause data loss or damage is necessary. In single-user mode, users can continue with the standard (multi-user) boot by entering 'exit' at the prompt.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135293Arch boot process (Español)2011-03-29T17:51:38Z<p>Sironitomas: </p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch y los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, contrariamente al común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar algunas capacidades parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las distinciones entre el estilo SysV y el estilo BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preferido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] y luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux y Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen de kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
<br />
El kernel es el núcleo de un sistema operativo. Este funciona en un nivel bajo (''kernelspace'') interactuando entre el hardware de la maquina, y los programas que usan el hardware para funcionar. Para hacer un uso eficiente del CPU, el kernel usa un planificador para arbitrar cuales tareas tienen prioridad a cada momento, creando la ilusión (para la percepción humana) de que varias tareas están siendo ejecutadas simultáneamente.<br />
<br />
Luego de que el kernel es cargado, este lee el [[initramfs]] (sistema de archivos RAM inicial). El propósito de initramfs es de bootstrap el sistema a el punto donde este puede acceder al sistema de archivos raíz (ver [[FHS]] para detalles). Esto significa que cualquier modulo requerido por dispositivos como IDE, SCSI, o SATA (o USB/FW, si se esta arrancando desde una unidad USB/FW) tiene que ser cargado. Una vez que initramfs carga los módulos adecuados, manualmente o mediante [[udev]], este pasa el control a el kernel y el proceso de arranque continua. Por esta razón, initrd solo necesita contener los módulos necesarios para acceder al sistema de archivos raíz; no necesita contener cualquier otro modulo que uno quiera usar. La mayoría de los módulos serán cargaos mas tarde por udev, durante el proceso init.<br />
<br />
The kernel then looks for the program {{Codeline|init}} which resides at {{Filename|/sbin/init}}. {{Codeline|init}} relies on {{Codeline|glibc}}, the GNU C library. Libraries are collections of frequently used program routines and are readily identifiable through their filename extension of {{Filename|*.so}}. They are essential for basic system functionality. This part of the boot process is called ''early userspace''.<br />
<br />
== init: The Arch boot scripts ==<br />
The main Arch startup process is initiated by the program {{Codeline|init}}, which spawns all other processes. The purpose of {{Codeline|init}} is to bring the system into a usable state, using the boot scripts to do so. As previously mentioned, Arch uses BSD-style boot scripts. {{Codeline|init}} reads the file {{Filename|/etc/inittab}}; the default {{Filename|inittab}} begins with the following:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
<br />
...<br />
</nowiki>}}<br />
<br />
The first uncommented line defines the default system runlevel (3). When the kernel calls init:<br />
<br />
* First, the main initialization script is run, {{Filename|/etc/rc.sysinit}} (a [[Bash]] script). <br />
* If started in single user mode (runlevel 1 or S), the script {{Filename|/etc/rc.single}} will be run. <br />
* If in any other runlevel (2-5), {{Filename|/etc/rc.multi}} is run instead.<br />
* The last script to run will be {{Filename|/etc/rc.local}} (through {{Filename|/etc/rc.multi}}), which is empty by default.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} is a huge startup script that basically takes care of all hardware configuration plus a number of general initialization tasks. It can be identified by its first task, printing the lines:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
A rough overview of its tasks:<br />
* Sources the {{Filename|/etc/rc.conf}} script<br />
* Sources the {{Filename|/etc/rc.d/functions}} script<br />
* Displays a welcome message<br />
* Mounts various virtual file systems<br />
* Creates dummy device files<br />
* Starts [[minilogd]]<br />
* Outputs messages from [[dmesg]]<br />
* Configures the hardware clock<br />
* Empties the {{Filename|/proc/sys/kernel/hotplug}} file<br />
* Starts [[udev]] and checks for udev events <br />
* Starts the [[loopback]] interface<br />
* Loads modules from the {{Codeline|MODULES}} array defined in [[rc.conf]]<br />
* Configures RAID and encrypted filesystem mappings<br />
* Runs a forced check of partitions ([[fsck]]) if the [[fstab|/etc/fstab]] file contains instructions to do so<br />
* Mounts local partitions and swap (networked drives are not mounted before a network profile is up)<br />
* Activates [[swap]] areas<br />
* Sets the hostname, locale and system clock as defined in {{Filename|rc.conf}}<br />
* Removes various leftover/temporary files, such as {{Filename|/tmp/*}}<br />
* Configures the [[locale]], console and keyboard mappings<br />
* Sets the console font<br />
* Writes output from dmesg to {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} is a script and not a place for settings. It sources (i.e. reads and inherits variables and functions) [[rc.conf]] for settings and {{Filename|/etc/rc.d/functions}} for the functions that produce its graphical output (nice colors, alignments, switching 'busy' to 'done', etc.) There is no particular need to edit this file, although some may wish to do so in order to speed up the boot process.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
Single-user mode will boot straight into the root user account and should only be used if one cannot boot normally. This script ensures no daemons are running except for the bare minimum: syslog-ng and udev. The single-user mode is useful for system recovery where preventing remote users from doing anything that might cause data loss or damage is necessary. In single-user mode, users can continue with the standard (multi-user) boot by entering 'exit' at the prompt.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135291Arch boot process (Español)2011-03-29T17:20:34Z<p>Sironitomas: /* Antes de init */</p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch y los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, contrariamente al común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar algunas capacidades parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las distinciones entre el estilo SysV y el estilo BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preferido de arranque y transferira el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] y luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux y Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen de kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
== Before init ==<br />
After the system is powered-on and the [[Wikipedia:Power-on self-test|POST]] is completed, the BIOS will locate the preferred boot medium and transfer control to the [[Master Boot Record]] of this device. On a GNU/Linux machine, often a bootloader such as [[GRUB]] or [[LILO]] is found and loaded from the MBR. The bootloader will present the user with a range of options for boot, e.g. Arch Linux and Windows on a [[Windows and Arch Dual Boot|dual-boot setup]]. Once Arch is selected, the kernel image in the {{Filename|/boot}} directory (currently {{Filename|kernel26.img}}) is decompressed and loaded into memory.<br />
<br />
The kernel is the core of an operating system. It functions on a low level (''kernelspace'') interacting between the hardware of the machine, and the programs which use the hardware to run. To make efficient use of the CPU, the kernel uses a scheduler to arbitrate which tasks take priority at any given moment, creating the illusion (to human perception) of many tasks being executed simultaneously. <br />
<br />
After the kernel is loaded, it reads from the [[initramfs]] (initial RAM filesystem). The purpose of the initramfs is to bootstrap the system to the point where it can access the root filesystem (see [[FHS]] for details). This means that any modules that are required for devices like IDE, SCSI, or SATA drives (or USB/FW, if booting off a USB/FW drive) must be loaded. Once the initramfs loads the proper modules, either manually or through [[udev]], it passes control to the kernel and the boot process continues. For this reason, the initrd only needs to contain the modules necessary to access the root filesystem; it does not need to contain every module one would ever want to use. The majority of modules will be loaded later on by udev, during the init process. <br />
<br />
The kernel then looks for the program {{Codeline|init}} which resides at {{Filename|/sbin/init}}. {{Codeline|init}} relies on {{Codeline|glibc}}, the GNU C library. Libraries are collections of frequently used program routines and are readily identifiable through their filename extension of {{Filename|*.so}}. They are essential for basic system functionality. This part of the boot process is called ''early userspace''.<br />
<br />
== init: The Arch boot scripts ==<br />
The main Arch startup process is initiated by the program {{Codeline|init}}, which spawns all other processes. The purpose of {{Codeline|init}} is to bring the system into a usable state, using the boot scripts to do so. As previously mentioned, Arch uses BSD-style boot scripts. {{Codeline|init}} reads the file {{Filename|/etc/inittab}}; the default {{Filename|inittab}} begins with the following:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
<br />
...<br />
</nowiki>}}<br />
<br />
The first uncommented line defines the default system runlevel (3). When the kernel calls init:<br />
<br />
* First, the main initialization script is run, {{Filename|/etc/rc.sysinit}} (a [[Bash]] script). <br />
* If started in single user mode (runlevel 1 or S), the script {{Filename|/etc/rc.single}} will be run. <br />
* If in any other runlevel (2-5), {{Filename|/etc/rc.multi}} is run instead.<br />
* The last script to run will be {{Filename|/etc/rc.local}} (through {{Filename|/etc/rc.multi}}), which is empty by default.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} is a huge startup script that basically takes care of all hardware configuration plus a number of general initialization tasks. It can be identified by its first task, printing the lines:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
A rough overview of its tasks:<br />
* Sources the {{Filename|/etc/rc.conf}} script<br />
* Sources the {{Filename|/etc/rc.d/functions}} script<br />
* Displays a welcome message<br />
* Mounts various virtual file systems<br />
* Creates dummy device files<br />
* Starts [[minilogd]]<br />
* Outputs messages from [[dmesg]]<br />
* Configures the hardware clock<br />
* Empties the {{Filename|/proc/sys/kernel/hotplug}} file<br />
* Starts [[udev]] and checks for udev events <br />
* Starts the [[loopback]] interface<br />
* Loads modules from the {{Codeline|MODULES}} array defined in [[rc.conf]]<br />
* Configures RAID and encrypted filesystem mappings<br />
* Runs a forced check of partitions ([[fsck]]) if the [[fstab|/etc/fstab]] file contains instructions to do so<br />
* Mounts local partitions and swap (networked drives are not mounted before a network profile is up)<br />
* Activates [[swap]] areas<br />
* Sets the hostname, locale and system clock as defined in {{Filename|rc.conf}}<br />
* Removes various leftover/temporary files, such as {{Filename|/tmp/*}}<br />
* Configures the [[locale]], console and keyboard mappings<br />
* Sets the console font<br />
* Writes output from dmesg to {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} is a script and not a place for settings. It sources (i.e. reads and inherits variables and functions) [[rc.conf]] for settings and {{Filename|/etc/rc.d/functions}} for the functions that produce its graphical output (nice colors, alignments, switching 'busy' to 'done', etc.) There is no particular need to edit this file, although some may wish to do so in order to speed up the boot process.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
Single-user mode will boot straight into the root user account and should only be used if one cannot boot normally. This script ensures no daemons are running except for the bare minimum: syslog-ng and udev. The single-user mode is useful for system recovery where preventing remote users from doing anything that might cause data loss or damage is necessary. In single-user mode, users can continue with the standard (multi-user) boot by entering 'exit' at the prompt.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Arch_boot_process_(Espa%C3%B1ol)&diff=135290Arch boot process (Español)2011-03-29T17:19:52Z<p>Sironitomas: Created page with "Category:Boot process (Español) Category:About Arch (Español) {{i18n|Arch Boot Process}} {{Article summary start}} {{Article summary text|?}} {{Article summary heading..."</p>
<hr />
<div>[[Category:Boot process (Español)]]<br />
[[Category:About Arch (Español)]]<br />
{{i18n|Arch Boot Process}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|?}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|fstab}}<br />
{{Article summary wiki|rc.conf}}<br />
{{Article summary end}}<br />
<br />
Este articulo tiene como objetivo dar una visión cronológica del proceso de arranque de Arch y los archivos y procesos involucrados, proveyendo enlaces a artículos relevantes de la wiki cuando es necesario. Arch sigue la convención de init de BSD, contrariamente al común SysV. Esto significa que hay poca distinción entre los niveles de ejecución, debido a que el sistema por defecto esta configurado para usar los mismos módulos y ejecutar los mismos procesos en todos los niveles de ejecución. La ventaja es que los usuarios tienen una simple manera de configurar el proceso de inicio (ver [[rc.conf]]); la desventaja es que algunas opciones de configuración muy especificas que ofrece SysV, son perdidas. Ver [[Adding Runlevels]] para poder agregar algunas capacidades parecidas a SysV en Arch. Ver [[Wikipedia:init]] para mas información en las distinciones entre el estilo SysV y el estilo BSD.<br />
<br />
== Antes de init ==<br />
Luego de que el sistema es encendido y que [[Wikipedia:Power-on self-test|POST]] es completado, la BIOS localizara el medio preferido de arranque y transfiere el control de este dispositivo al [[Master Boot Record]]. En un sistema GNU/Linux, comúnmente se encuentra un gestor de arranque como [[GRUB]] o [[LILO]] y luego se carga desde el MBR. El gestor de arranque presentara al usuario un rango de opciones para arrancar, por ejemplo Arch Linux y Windows en [[Windows and Arch Dual Boot|dual-boot setup]]. Una vez que Arch es seleccionado, la imagen de kernel en el directorio {{Filename|/boot}} (actualmente {{Filename|kernel26.img}}) es descomprimida y cargada en memoria.<br />
<br />
== Before init ==<br />
After the system is powered-on and the [[Wikipedia:Power-on self-test|POST]] is completed, the BIOS will locate the preferred boot medium and transfer control to the [[Master Boot Record]] of this device. On a GNU/Linux machine, often a bootloader such as [[GRUB]] or [[LILO]] is found and loaded from the MBR. The bootloader will present the user with a range of options for boot, e.g. Arch Linux and Windows on a [[Windows and Arch Dual Boot|dual-boot setup]]. Once Arch is selected, the kernel image in the {{Filename|/boot}} directory (currently {{Filename|kernel26.img}}) is decompressed and loaded into memory.<br />
<br />
The kernel is the core of an operating system. It functions on a low level (''kernelspace'') interacting between the hardware of the machine, and the programs which use the hardware to run. To make efficient use of the CPU, the kernel uses a scheduler to arbitrate which tasks take priority at any given moment, creating the illusion (to human perception) of many tasks being executed simultaneously. <br />
<br />
After the kernel is loaded, it reads from the [[initramfs]] (initial RAM filesystem). The purpose of the initramfs is to bootstrap the system to the point where it can access the root filesystem (see [[FHS]] for details). This means that any modules that are required for devices like IDE, SCSI, or SATA drives (or USB/FW, if booting off a USB/FW drive) must be loaded. Once the initramfs loads the proper modules, either manually or through [[udev]], it passes control to the kernel and the boot process continues. For this reason, the initrd only needs to contain the modules necessary to access the root filesystem; it does not need to contain every module one would ever want to use. The majority of modules will be loaded later on by udev, during the init process. <br />
<br />
The kernel then looks for the program {{Codeline|init}} which resides at {{Filename|/sbin/init}}. {{Codeline|init}} relies on {{Codeline|glibc}}, the GNU C library. Libraries are collections of frequently used program routines and are readily identifiable through their filename extension of {{Filename|*.so}}. They are essential for basic system functionality. This part of the boot process is called ''early userspace''.<br />
<br />
== init: The Arch boot scripts ==<br />
The main Arch startup process is initiated by the program {{Codeline|init}}, which spawns all other processes. The purpose of {{Codeline|init}} is to bring the system into a usable state, using the boot scripts to do so. As previously mentioned, Arch uses BSD-style boot scripts. {{Codeline|init}} reads the file {{Filename|/etc/inittab}}; the default {{Filename|inittab}} begins with the following:<br />
<br />
{{File<br />
|name=/etc/inittab<br />
|content=<nowiki><br />
...<br />
<br />
# Boot to console<br />
id:3:initdefault:<br />
# Boot to X11<br />
#id:5:initdefault:<br />
<br />
rc::sysinit:/etc/rc.sysinit<br />
rs:S1:wait:/etc/rc.single<br />
rm:2345:wait:/etc/rc.multi<br />
rh:06:wait:/etc/rc.shutdown<br />
su:S:wait:/sbin/sulogin<br />
<br />
...<br />
</nowiki>}}<br />
<br />
The first uncommented line defines the default system runlevel (3). When the kernel calls init:<br />
<br />
* First, the main initialization script is run, {{Filename|/etc/rc.sysinit}} (a [[Bash]] script). <br />
* If started in single user mode (runlevel 1 or S), the script {{Filename|/etc/rc.single}} will be run. <br />
* If in any other runlevel (2-5), {{Filename|/etc/rc.multi}} is run instead.<br />
* The last script to run will be {{Filename|/etc/rc.local}} (through {{Filename|/etc/rc.multi}}), which is empty by default.<br />
<br />
=== {{Filename|/etc/rc.sysinit}} ===<br />
{{Filename|rc.sysinit}} is a huge startup script that basically takes care of all hardware configuration plus a number of general initialization tasks. It can be identified by its first task, printing the lines:<br />
<br />
Arch Linux<br />
http://www.archlinux.org<br />
Copyright 2002-2007 Judd Vinet<br />
Copyright 2007-2010 Aaron Griffin<br />
Distributed under the GNU General Public License (GPL)<br />
<br />
A rough overview of its tasks:<br />
* Sources the {{Filename|/etc/rc.conf}} script<br />
* Sources the {{Filename|/etc/rc.d/functions}} script<br />
* Displays a welcome message<br />
* Mounts various virtual file systems<br />
* Creates dummy device files<br />
* Starts [[minilogd]]<br />
* Outputs messages from [[dmesg]]<br />
* Configures the hardware clock<br />
* Empties the {{Filename|/proc/sys/kernel/hotplug}} file<br />
* Starts [[udev]] and checks for udev events <br />
* Starts the [[loopback]] interface<br />
* Loads modules from the {{Codeline|MODULES}} array defined in [[rc.conf]]<br />
* Configures RAID and encrypted filesystem mappings<br />
* Runs a forced check of partitions ([[fsck]]) if the [[fstab|/etc/fstab]] file contains instructions to do so<br />
* Mounts local partitions and swap (networked drives are not mounted before a network profile is up)<br />
* Activates [[swap]] areas<br />
* Sets the hostname, locale and system clock as defined in {{Filename|rc.conf}}<br />
* Removes various leftover/temporary files, such as {{Filename|/tmp/*}}<br />
* Configures the [[locale]], console and keyboard mappings<br />
* Sets the console font<br />
* Writes output from dmesg to {{Filename|/var/log/dmesg.log}}<br />
<br />
{{Filename|/etc/rc.sysinit}} is a script and not a place for settings. It sources (i.e. reads and inherits variables and functions) [[rc.conf]] for settings and {{Filename|/etc/rc.d/functions}} for the functions that produce its graphical output (nice colors, alignments, switching 'busy' to 'done', etc.) There is no particular need to edit this file, although some may wish to do so in order to speed up the boot process.<br />
<br />
=== {{Filename|/etc/rc.single}} ===<br />
Single-user mode will boot straight into the root user account and should only be used if one cannot boot normally. This script ensures no daemons are running except for the bare minimum: syslog-ng and udev. The single-user mode is useful for system recovery where preventing remote users from doing anything that might cause data loss or damage is necessary. In single-user mode, users can continue with the standard (multi-user) boot by entering 'exit' at the prompt.<br />
<br />
=== {{Filename|/etc/rc.multi}} ===<br />
{{Filename|/etc/rc.multi}} is run on any multi-user runlevel (i.e. 2, 3. 4 and 5) which basically means any ordinary boot. Typically, users will not notice the transition from {{Filename|rc.sysinit}} to {{Filename|rc.multi}} as {{Filename|rc.multi}} also uses the functions file to produce output. This script has three tasks:<br />
<br />
* First, it runs sysctl (to modify kernel parameters at runtime) which applies the settings in {{Filename|/etc/sysctl.conf}}. Arch has very few of these by default; mainly networking settings.<br />
* Secondly, and most importantly, it starts [[daemons]], as per the {{Codeline|DAEMONS}} array in {{Filename|rc.conf}}.<br />
* Finally, it will run {{Filename|/etc/rc.local}}. <br />
<br />
=== {{Filename|/etc/rc.local}} ===<br />
{{Filename|rc.local}} is the local multi-user startup script. Empty by default, it is a good place to put any last-minute commands the system should run at the very end of the boot process. Most common system configuration tasks (like loading modules, changing<br />
the console font, or setting up devices) usually have a dedicated place where they belong. To avoid confusion, ensure that whatever one intends to add to {{Filename|rc.local}} is not already residing in {{Filename|/etc/profile.d}}, or any other existing configuration location instead.<br />
<br />
When editing this file, keep in mind that it is run '''after''' the basic setup (modules/daemons), as the '''root''' user, and '''whether or not''' X starts. Here is an example which just un-mutes the ALSA sound settings:<br />
<br />
{{File<br />
|name=/etc/rc.local<br />
|content=<nowiki><br />
#!/bin/bash<br />
<br />
# /etc/rc.local: Local multi-user startup script.<br />
<br />
amixer sset 'Master Mono' 50% unmute &> /dev/null<br />
amixer sset 'Master' 50% unmute &> /dev/null<br />
amixer sset 'PCM' 75% unmute &> /dev/null<br />
</nowiki>}}<br />
<br />
Another common usage for {{Filename|rc.local}} is to apply various hacks when one cannot make the ordinary initialization work correctly.<br />
<br />
== Custom hooks ==<br />
Hooks can be used to include custom code in various places in the rc.* scripts.<br />
{| class="wikitable"<br />
|-<br />
! scope="col" | Hook Name<br />
! scope="col" | When hook is executed<br />
|-<br />
| sysinit_start<br />
| At the beginning of rc.sysinit<br />
|-<br />
| sysinit_udevlaunched<br />
| After udev has been launched in rc.sysinit<br />
|-<br />
| sysinit_udevsettled<br />
| After uevents have settled in rc.sysinit<br />
|-<br />
| sysinit_prefsck<br />
| Before fsck is run in rc.sysinit<br />
|-<br />
| sysinit_postfsck<br />
| After fsck is run in rc.sysinit<br />
|-<br />
| sysinit_premount<br />
| Before local filesystems are mounted, but after root is mounted read-write in rc.sysinit<br />
|-<br />
| sysinit_end<br />
| At the end of rc.sysinit<br />
|-<br />
| multi_start<br />
| At the beginning of rc.multi<br />
|-<br />
| multi_end<br />
| At the end of rc.multi<br />
|-<br />
| single_start<br />
| At the beginning of rc.single<br />
|-<br />
| single_prekillall<br />
| Before all processes are being killed in rc.single<br />
|-<br />
| single_postkillall<br />
| After all processes have been killed in rc.single<br />
|-<br />
| single_udevlaunched<br />
| After udev has been launched in rc.single<br />
|-<br />
| single_udevsettled<br />
| After uevents have settled in rc.single<br />
|-<br />
| single_end<br />
| At the end of rc.single<br />
|-<br />
| shutdown_start<br />
| At the beginning of rc.shutdown<br />
|-<br />
| shutdown_prekillall<br />
| Before all processes are being killed in rc.shutdown<br />
|-<br />
| shutdown_postkillall<br />
| After all processes have been killed in rc.shutdown<br />
|-<br />
| shutdown_poweroff<br />
| Directly before powering off in rc.shutdown<br />
|}<br />
<br />
To define a hook function, create a file in /etc/rc.d/functions.d using:<br />
<pre><br />
function_name() {<br />
...<br />
}<br />
add_hook hook_name function_name<br />
</pre><br />
Files in /etc/rc.d/functions.d are sourced from {{Filename|/etc/rc.d/functions}}.<br />
You can register multiple hook functions for the same hook, as well as registering the same hook function for multiple hooks. Don't define functions named add_hook or run_hook in these files, as they are defined in {{Filename|/etc/rc.d/functions}}.<br />
<br />
==== Example ====<br />
Adding the following file will disable the write-back cache on a hard drive <i>before</i> any daemons are started (useful for drives containing MySQL InnoDB files).<br />
{{File|name=/etc/rc.d/functions.d/hd_settings|content=hd_settings() {<br />
/sbin/hdparm -W0 /dev/sdb<br />
}<br />
add_hook sysinit_udevsettled hd_settings<br />
add_hook single_udevsettled hd_settings<br />
}}<br />
First it defines the function hd_settings, and then registers it for the single_udevsettled and sysinit_udevsettled hooks. The function will then be called immediately after uvents have settled in {{Filename|/etc/rc.d/rc.sysinit}} or {{Filename|/etc/rc.d/rc.single}}.<br />
<br />
== init: Login ==<br />
By default, after the Arch boot scripts are completed, the {{Codeline|/sbin/agetty}} program prompts users for a login name. After a login name is received, {{Codeline|/sbin/agetty}} calls {{Codeline|/bin/login}} to prompt for the login password.<br />
<br />
Finally, with a successful login, the {{Codeline|/bin/login}} program starts the user's default shell. The default shell and environment variables may be globally defined within {{Filename|/etc/profile}}. All variables within a user's home directory shall take precedence over those globally defined under {{Filename|/etc}}. For instance, if two conflicting variables are specified within {{Filename|/etc/profile}} and {{Filename|~/.bashrc}}, the one dictated by {{Filename|~/.bashrc}} shall prevail.<br />
<br />
Other options include [[Automatic login to virtual console|mingetty]] which allows for auto-login and [[rungetty]] which allows for auto-login and automatically running commands and programs, e.g. the always useful htop. <br />
<br />
The majority of users wishing to start an [[X]] server during the boot process will want to install a display manager, and see [[Display Manager]] for details. Alternatively, [[Start X at Boot]] outlines methods that do not involve a display manager.<br />
<br />
== See also ==<br />
<br />
* [[Startup files]]<br />
<br />
== External resources ==<br />
* [http://www.cyberciti.biz/faq/grub-boot-into-single-user-mode/ Boot Linux Grub Into Single User Mode]<br />
* [http://www.linuxjournal.com/article/4622 Boot with GRUB]<br />
* [http://www.ibm.com/developerworks/linux/library/l-linuxboot/ Inside the Linux boot process]<br />
* [http://linux.about.com/library/cmd/blcmdl5_sysctl.conf.htm Linux / Unix Command: sysctl.conf]<br />
* [http://bbs.archlinux.org/search.php?action=search&keywords=rc.local&search_in=topic&sort_dir=DESC&show_as=topics Search the forum for rc.local examples]<br />
* [[Wikipedia:Linux startup process]]<br />
* [[Wikipedia:initrd]]</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Apache_HTTP_Server_(Espa%C3%B1ol)&diff=134560Apache HTTP Server (Español)2011-03-23T03:19:18Z<p>Sironitomas: /* Configurar el soporte para MySQL */</p>
<hr />
<div>[[Category:Daemons y servicios del sistema (Español)]]<br />
[[Category:CÓMOs (Español)]]<br />
{{i18n|LAMP}}<br />
<br />
LAMP, es el acrónimo para referirse a un conjunto de software, utilizado para ejecutar sitios web dinámicos o servicios.<br />
<br />
* '''L'''inux refiriendose al sistema operativo, en este caso Arch Linux claro;<br />
* '''A'''pache, el servidor Web;<br />
* '''M'''ySQL, el sistema administrador de base de datos;<br />
* '''P'''HP u otros, p.e. Perl, Python.<br />
<br />
<br />
===Apache, PHP, y MySQL===<br />
<br />
Este documento describe como configurar el servidor web Apache en un sistema Arch Linux. Además explica como, opcionalmente, instalar PHP y MySQL e integrarlos con Apache.<br />
<br />
====Instalar Paquetes====<br />
<br />
Si lo desea, puede instalar Apache/PHP/MySQL por separado. Este documento asume que instalará<br />
los tres, pero si lo desea, puede realizar cualquiera de las secciones que apliquen al software instalado.<br />
<br />
# pacman -S apache php php-apache mysql<br />
<br />
====Configurar Apache====<br />
* Añada la siguiente línea a <code>/etc/hosts</code> (Si el archivo no existe deberá crearlo)<br />
<br />
127.0.0.1 localhost.localdomain localhost<br />
<br />
{{Box Note|Si desea un hostname diferente, añádalo al final de la línea:}}<br />
<br />
127.0.0.1 localhost.localdomain localhost myhostname<br />
<br />
* Edite <code>/etc/rc.conf</code>. Si define un hostname en el paso anterior,<br />
la variable HOSTNAME debe ser igual. Si no, deje solamente "localhost":<br />
<br />
#<br />
# Networking<br />
#<br />
HOSTNAME="localhost"<br />
<br />
* Comentar un modulo en el archivo de configuración de Apache<br />
<br />
# nano /etc/httpd/conf/httpd.conf<br />
<br />
LoadModule unique_id_module modules/mod_unique_id.so<br />
<br />
en<br />
<br />
#LoadModule unique_id_module modules/mod_unique_id.so<br />
<br />
* Ejecute en una terminal (como root):<br />
<br />
# /etc/rc.d/httpd start<br />
<br />
* Apache debería ahora estar corriendo. Verifíquelo visitando http://localhost/ en un navegador web. Debería ver una página simple página de prueba de Apache.<br />
<br />
* Edite <code>/etc/rc.conf</code> (para iniciar Apache en el arranque):<br />
<br />
DAEMONS=(... varios daemons ... httpd<br />
<br />
'''O''' añada esta línea a <code>rc.local</code>:<br />
<br />
/etc/rc.d/httpd start<br />
<br />
* Si quiere activar los directorios de usuario (p.e. <code>~/public_html</code> en la máquina es accesible como http://localhost/~usuario/) para estar disponibles en la web, descomente las siguientes líneas en <code>/etc/httpd/conf/extra/httpd-userdir.conf</code>:<br />
<br />
UserDir public_html<br />
<br />
y<br />
<br />
<Directory /home/*/public_html><br />
AllowOverride FileInfo AuthConfig Limit Indexes<br />
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI<br />
<Limit GET POST OPTIONS PROPFIND><br />
Order allow,deny<br />
Allow from all<br />
</Limit><br />
<LimitExcept GET POST OPTIONS PROPFIND> Order deny,allow<br />
Deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
Asegúrese de que Apache pueda ingresar al directorio home del usuario colocando los permisos correspondientes. El directorio del usuario y el directorio <code>~/public_html/</code> debe ser ejecutable para los otros ("el resto del mundo"). Esto sería suficiente:<br />
<br />
$ chmod o+x ~<br />
$ chmod o+x ~/public_html<br />
<br />
Existen algunas otras formas, más seguras de colocar los permisos mediante la creación de un grupo especial y permitiendo sólo al usuario Apache y otros requeridos entrar ahí... Dependiendo del nivel paranoico que se tenga.<br />
<br />
=====Opciones adicionales=====<br />
Estas opciones en <code>/etc/httpd/conf/httpd.conf</code> pueden ser de interés:<br />
<br />
El puerto que Apache utiliza para escuchar peticiones. Para el acceso a internet con router,<br />
se debe redireccinar a ese puerto.<br />
# Listen 80<br />
<br />
Este es el correo electrónico del administrador que puede ser encontrado en las páginas de error por ejemplo.<br />
# ServerAdmin sample@sample.com<br />
<br />
Este es el directorio donde se podrían colocar las páginas web.<br />
# DocumentRoot "/home/httpd/html"<br />
<br />
Si se cambia el directorio raíz (DocumentRoot) no se debe olvidar cambiar el siguiente elemento.<br />
# <Directory "/home/httpd/html"><br />
<br />
====Configurar PHP====<br />
PHP ahora esta disponible prácticamente después de instalarlo.<br />
<br />
* Descomente esta línea en <code>/etc/httpd/conf/httpd.conf</code><br />
#LoadModule php5_module modules/libphp5.so<br />
<br />
* Para PHP5 los archivos manejadores ya están configurados<br />
<br />
#<br />
# DirectoryIndex: sets the file that Apache will serve if a directory<br />
# is requested.<br />
#<br />
<IfModule dir_module><br />
<IfModule mod_php5.c><br />
DirectoryIndex index.php index.html<br />
AddType application/x-httpd-php .php<br />
AddType application/x-httpd-php-source .phps<br />
</IfModule><br />
DirectoryIndex index.html<br />
</IfModule><br />
<br />
* Recordad agregar un archivo manejador para .phtml si es necesario:<br />
<br />
DirectoryIndex index.php index.phtml index.html<br />
<br />
* Si se desea el módulo libGD, edite <code>/etc/php/php.ini</code> y descomente la siguiente línea (''quitando el ;''):<br />
<br />
;extension=gd.so<br />
<br />
* Si el DocumentRoot está fuera de <code>/home/</code>, agergarlo<br />
en la variable <code>open_basedir</open> en el archivo <code>/etc/php/php.ini</code> como:<br />
<br />
open_basedir = /home/:/tmp/:/usr/share/pear/:/ruta/al/documentroot<br />
<br />
* Reinicie el servidor Apache para que los cambios tengan efecto (como root):<br />
# /etc/rc.d/httpd restart<br />
<br />
* Pruebe PHP con un simple, pero muy informativo script:<br />
<html><br />
<head><br />
<title>Este es Arch Linux, ejecutando PHP.</title><br />
</head><br />
<body><br />
<p><br />
<?php<br />
phpinfo();<br />
?><br />
</p><br />
</body><br />
</html><br />
<br />
Guarde este archivo como <code>test.php</code> y copielo en <code>/srv/http/html/</code> o en <code>~/public_html</code> si lo permitió en la configuración.<br />
<br />
* Pruebe PHP en http://localhost/test.php o en http://localhost/~usuario/test.php<br />
<br />
'''Si continua teniendo problemas''', edite su archivo /etc/httpd/conf/httpd.conf con la siguiente información<br />
<br />
* Edite su archivo httpd.conf<br />
nano /etc/httpd/conf/httpd.conf<br />
<br />
* Bajo <IfModule mime_module><br />
AddType application/x-httpd-php .php<br />
AddType application/x-httpd-php-source .phps<br />
<br />
* Reinicie Apache<br />
# /etc/rc.d/httpd restart<br />
<br />
Si después de esto el servidor no le ejecuta los scripts php añada la línea<br />
<br />
LoadModule php5_module modules/libphp5.so<br />
<br />
Justo antes de empezar el bloque de LoadModule ......<br />
<br />
* Reinicie Apache<br />
<br />
# /etc/rc.d/httpd restart<br />
<br />
Asegúrese de probar de nuevo la página para verificar que funciona correctamnente (como se vio anteriormente)<br />
<br />
====Configurar el soporte para MySQL====<br />
Haga ésto sólo si quiere activar el soporte para MySQL. Configure previamente MySQL<br />
en los pasos descritos de [[MySQL|MySQL]]<br />
<br />
* Edite <code>/etc/php/php.ini</code> y descomente la siguiente línea (''quitando el ;''):<br />
<br />
;extension=mysql.so<br />
;extension=mysqli.so<br />
<br />
* Si no ha configurado una contraseña de root para MySQL (en una terminal, como root):<br />
<br />
# mysqladmin -u root password 'roots_password'<br />
<br />
* Se pueden agregar usuarios con menos privilegios, para los scripts que desee ejecutar, editando las tablas que se encuentran en la base de datos <code>mysql</code>. Deberá reiniciar el servicio para que los cambios tomen efecto.<br />
No olvide revisar la tabla <code>mysql/users</code>. Si existe una segunda entrada para el usuario root y el hostname se deja sin ninguna clave establecida, cualquier persona de su máquina probablemente podría ganar el acceso total.<br />
Tal vez deba revisar la siguiente sección para estas labores.<br />
<br />
* Si se obtienen el mensaje "<code>error no. 2013: Lost Connection to mysql server during query</code>" instantaneamente después de intentar conectarse al daemon de MySQL mediante TCP/IP. Esto es por el sistema TCP wrappers (tcpd), el cual utiliza el sistema <code>hosts_access(5)</code> para permitir (allow) o denegar (disallow) las conexiones.<br />
<br />
Si se esta en este problema, asegurarse de agregar lo siguiente en el archivo <code>/etc/hosts.allow</code>:<br />
<br />
# mysqld : ALL : ALLOW<br />
# mysqld-max : ALL : ALLOW<br />
# y similar para otros daemons de MySQL.<br />
<br />
{{Box Note|Los ejemplos anteriores son un caso simplista, diciendole a tcpd que permita todas las conexiones desde cualquier lugar. Se debe utilizar una selección más apropiada de fuentes permitidas en lugar de '''ALL'''. Sólo asegurese que localhost y la dirección IP (númerica o de DNS) de la interáz por la cuál se realice la conexión este especificada.}}<br />
<br />
* Podría también ser necesario editar el archivo <code>/etc/my.cnf</code> y comentar la siguiente línea como sigue:<br />
<br />
# skip-networking<br />
<br />
====Configurar PHPMyAdmin====<br />
Si se quiere utilizar [http://www.phpmyadmin.net PHPMyAdmin], podría proceder de la siguiente manera:<br />
<br />
* Instale el paquete<br />
<br />
# pacman -S phpmyadmin<br />
<br />
* Edite el archivo de configuración para adaptarlo a sus necesidades: <code>/home/httpd/html/phpMyAdmin/config.inc.php</code><br />
<br />
Inserte la cadena correspondiente a la variable PmaAbsoluteUri para que sea parecida a:<br />
<br />
$cfg[['PmaAbsoluteUri']] = 'http://>hostname</phpMyAdmin/';<br />
<br />
Rellene la información de su servidor MySQL. En PHPMyAdmin, se pueden definir multiples servidores en el arreglo 'Servers'. Para acceder a su base de datos MySQL, tiene que editar la primera entrada; puede ignorar las demás.<br />
<br />
En un sistema normal sólo tendría que asignar el auth_type a http. Esto hace que PHPMyAdmin use el usuario y contraseñas ingresados por el navegador web para acceder al servidor de bases de datos, de esa manera, no se pueden realizar acciones que no estén permitidas para dicho usuario del servidor MySql.<br />
<br />
$cfg[['Servers']][[$i]][['auth_type']] = 'http';<br />
<br />
'''Advertencia:''' otros métodos de autorización o el escribir contraseñas directamente en este archivo puede comprometer la seguridad de la base de datos. Por defecto, este archivo es legible para todo el mundo, por lo que es conveniente restringirlo.<br />
<br />
* Para usar PHPMyAdmin dirigir el navegador web a:<br />
<br />
http://>hostname</phpMyAdmin/</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Secure_Shell_(Portugu%C3%AAs)&diff=134196Secure Shell (Português)2011-03-19T04:26:41Z<p>Sironitomas: /* Segundo Passo: Configure seu Navegador ( e/ou outros programas ) */</p>
<hr />
<div>''Secure Shell'' ou SSH é um protocolo de internet que permite a troca de informações por meio de um canal seguro entre dois computadores. A encriptação proporciona sigilo e integridade da informação. SSH usa criptografia de chave-pública para autenticar no computador remoto e permitir que o computador remoto autentique o usuário, se necessário.<br />
<br />
SSH é tipicamente utilizado para logar em um computador remoto e executar comandos, mas ele também pode ser usado para ''tunneling''. Transferência de arquivos pode ser feita usando os protocolos SFTP ou SCP.<br />
<br />
Um servidor de SSH, por padrão, roda na porta 22. Um cliente SSH geralmente é usado para estabelecer conexões com um servidor de sshd configurado para aceitar conexões remotas. Ambos estão presentes na maior parte dos sistemas operacionais modernos, incluindo GNU/Linux, MacOS X, Solaris e OpenVMS.<br />
Existem versões pagas, grátis e de código aberto.<br />
<br />
= OpenSSH =<br />
<br />
O OpenSSH (OpenBSD Secure Shell) é um conjunto de programas de computador que provê sessões de comunicação criptografada sobre uma rede de computadores utilizando o protocolo ssh. Ele foi criado como alternativa de código aberto à suite de aplicativos proprietários de Shell Seguro ( do inglês: Secure Shell ) oferecida pela SSH Communications Security. o OpenSSH é desenvolvido como parte do projeto OpenBSD, o qual é liderado por Theo de Raadt.<br />
<br />
O OpenSSH é ocasionalmente confundido com o OpenSSL devido aos nomes parecidos; embora os projetos tenham propósitos diferentes e sejam desenvolvidos por times diferentes, os nomes similares surgiram de objetivos similares.<br />
<br />
== Instalando o OpenSSH ==<br />
# pacman -S openssh<br />
<br />
== Configurando o SSH ==<br />
===Cliente===<br />
O arquivo de configuração do cliente SSH pode ser encontrado e editado em {{Filename|/etc/ssh/ssh_config}}.<br />
<br />
Um exemplo de configuração:<br />
<br />
{{File|name=/etc/ssh/ssh_config|content=<br />
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $<br />
<br />
# This is the ssh client system-wide configuration file. See<br />
# ssh_config(5) for more information. This file provides defaults for<br />
# users, and the values can be changed in per-user configuration files<br />
# or on the command line.<br />
<br />
# Configuration data is parsed as follows:<br />
# 1. command line options<br />
# 2. user-specific file<br />
# 3. system-wide file<br />
# Any configuration value is only changed the first time it is set.<br />
# Thus, host-specific definitions should be at the beginning of the<br />
# configuration file, and defaults at the end.<br />
<br />
# Site-wide defaults for some commonly used options. For a comprehensive<br />
# list of available options, their meanings and defaults, please see the<br />
# ssh_config(5) man page.<br />
<br />
Host *<br />
# ForwardAgent no<br />
# ForwardX11 no<br />
# RhostsRSAAuthentication no<br />
# RSAAuthentication yes<br />
# PasswordAuthentication yes<br />
# HostbasedAuthentication no<br />
# GSSAPIAuthentication no<br />
# GSSAPIDelegateCredentials no<br />
# BatchMode no<br />
# CheckHostIP yes<br />
# AddressFamily any<br />
# ConnectTimeout 0<br />
# StrictHostKeyChecking ask<br />
# IdentityFile ~/.ssh/identity<br />
# IdentityFile ~/.ssh/id_rsa<br />
# IdentityFile ~/.ssh/id_dsa<br />
# Port 22<br />
# Protocol 2,1<br />
# Cipher 3des<br />
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc<br />
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160<br />
# EscapeChar ~<br />
# Tunnel no<br />
# TunnelDevice any:any<br />
# PermitLocalCommand no<br />
# VisualHostKey no<br />
HashKnownHosts yes<br />
StrictHostKeyChecking ask}}<br />
<br />
É recomendado alterar a linha do Protocolo para:<br />
Protocol 2<br />
<br />
Dessa forma, apenas o protocolo 2 será utilizado, visto que a protocolo 1 é considerado inseguro.<br />
<br />
===Daemon===<br />
O Arquivo de configuração do daemon SSH pode ser encontrado e editado em {{Filename|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
Um exemplo de configuração:<br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
<br />
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $<br />
<br />
# This is the sshd server system-wide configuration file. See<br />
# sshd_config(5) for more information.<br />
<br />
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin<br />
<br />
# The strategy used for options in the default sshd_config shipped with<br />
# OpenSSH is to specify options with their default value where<br />
# possible, but leave them commented. Uncommented options change a<br />
# default value.<br />
<br />
#Port 22<br />
#Protocol 2,1<br />
ListenAddress 0.0.0.0<br />
#ListenAddress ::<br />
<br />
# HostKey for protocol version 1<br />
#HostKey /etc/ssh/ssh''host''key<br />
# HostKeys for protocol version 2<br />
#HostKey /etc/ssh/ssh''host''rsa_key<br />
#HostKey /etc/ssh/ssh''host''dsa_key<br />
<br />
# Lifetime and size of ephemeral version 1 server key<br />
#KeyRegenerationInterval 1h<br />
#ServerKeyBits 768<br />
<br />
# Logging<br />
#obsoletes ~QuietMode and ~FascistLogging<br />
#SyslogFacility AUTH<br />
#LogLevel INFO<br />
<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
#PermitRootLogin yes<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
<br />
#RSAAuthentication yes<br />
#PubkeyAuthentication yes<br />
#AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
# For this to work you will also need host keys in /etc/ssh/ssh''known''hosts<br />
#RhostsRSAAuthentication no<br />
# similar for protocol version 2<br />
#HostbasedAuthentication no<br />
# Change to yes if you don't trust ~/.ssh/known_hosts for<br />
# RhostsRSAAuthentication and HostbasedAuthentication<br />
#IgnoreUserKnownHosts no<br />
# Don't read the user's ~/.rhosts and ~/.shosts files<br />
#IgnoreRhosts yes<br />
<br />
# To disable tunneled clear text passwords, change to no here!<br />
#PasswordAuthentication yes<br />
#PermitEmptyPasswords no<br />
<br />
# Change to no to disable s/key passwords<br />
#ChallengeResponseAuthentication yes<br />
<br />
# Kerberos options<br />
#KerberosAuthentication no<br />
#KerberosOrLocalPasswd yes<br />
#KerberosTicketCleanup yes<br />
#KerberosGetAFSToken no<br />
<br />
# GSSAPI options<br />
#GSSAPIAuthentication no<br />
#GSSAPICleanupCredentials yes<br />
<br />
# Set this to 'yes' to enable PAM authentication, account processing,<br />
# and session processing. If this is enabled, PAM authentication will<br />
# be allowed through the ~ChallengeResponseAuthentication mechanism.<br />
# Depending on your PAM configuration, this may bypass the setting of<br />
# PasswordAuthentication, ~PermitEmptyPasswords, and<br />
# "PermitRootLogin without-password". If you just want the PAM account and<br />
# session checks to run without PAM authentication, then enable this but set<br />
# ChallengeResponseAuthentication=no<br />
#UsePAM no<br />
<br />
#AllowTcpForwarding yes<br />
#GatewayPorts no<br />
#X11Forwarding no<br />
#X11DisplayOffset 10<br />
#X11UseLocalhost yes<br />
#PrintMotd yes<br />
#PrintLastLog yes<br />
#TCPKeepAlive yes<br />
#UseLogin no<br />
#UsePrivilegeSeparation yes<br />
#PermitUserEnvironment no<br />
#Compression yes<br />
#ClientAliveInterval 0<br />
#ClientAliveCountMax 3<br />
#UseDNS yes<br />
#PidFile /var/run/sshd.pid<br />
#MaxStartups 10<br />
<br />
# no default banner path<br />
#Banner /some/path<br />
<br />
# override default of no subsystems<br />
Subsystem sftp /usr/lib/ssh/sftp-server}}<br />
<br />
<br />
Para permitir acesso apenas por alguns usuários, adicione a seguinte linha:<br />
AllowUsers user1 user2<br />
<br />
Você deve querer mudar algumas linhas para que pareçam com as seguintes:<br />
<pre><br />
Protocol 2<br />
.<br />
.<br />
.<br />
LoginGraceTime 120<br />
.<br />
.<br />
.<br />
PermitRootLogin no # (put yes here if you want root login)<br />
</pre><br />
<br />
Você pode também descomentar a opção BANNER e editar {{Filename|/etc/issue}} para uma mensagem de boas vindas.<br />
<br />
{{Tip| Você deve querer alterar a porta padrão de 22 para qualquer porta alta (veja em inglês [http://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]).}} <br />
<br />
Mesmo que a porta utilizada pelo ssh possa ser detectada por um port-scanner como o nmap, alterando-a irá reduzir o número de entradas nos logs por tentativas automatizadas de acesso.pts.<br />
<br />
{{Tip| Desativando inteiramente logins por senha pode melhorar sua segurança, desde que cada usuário com acesso ao servidor necessitará criar chaves ssh. (veja em inglês [http://wiki.archlinux.org/index.php/Using_SSH_Keys Using SSH Keys]).}}<br />
<br />
{{File|name=/etc/ssh/sshd_config|content=<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no}}<br />
<br />
===Permitindo outros entrarem===<br />
{{Box Note | Você tem que ajustar esse arquivo para acessar sua maquina remotamente visto que ele se encontra vazio por padrão}}<br />
<br />
Para permitir que outra pessoa conecte via ssh a sua maquina você precisa ajustar o arquivo {{Filename|/etc/hosts.allow}}, e adicionar o seguinte:<br />
<br />
<pre><br />
# Permite qualquer um conectar a você<br />
sshd: ALL<br />
<br />
# Ou, você pode restringir certos ips.<br />
sshd: 192.168.0.1<br />
<br />
# ou restringir uma rede de ips<br />
sshd: 10.0.0.0/255.255.255.0<br />
<br />
# ou restringir o ip por um padrão<br />
sshd: 192.168.1.<br />
</pre><br />
<br />
Agora você deve checar o arquivo {{Filename|/etc/hosts.deny}} pela seguinte linha, e ter certeza que ela está dessa forma:<br />
ALL: ALL<br />
<br />
É isso. Você pode sair e outros devem conseguir entrar via ssh :).<br />
<br />
Para utilizar as novas configurações, reinicie o daemon (as root):<br />
# /etc/rc.d/sshd restart<br />
<br />
== Gerenciando o Daemon SSHD ==<br />
Apenas adicione sshd à seção "DAEMON" do seu arquivo {{Filename|/etc/[[rc.conf]]}}:<br />
DAEMONS=(... ... '''sshd''' ... ...)<br />
<br />
Para iniciar/reiniciar/parar o daemon, use o seguinte:<br />
# /etc/rc.d/sshd {start|stop|restart}<br />
<br />
==Conectando ao servidor==<br />
Para conectar ao servidor, execute:<br />
$ ssh -p port user@server-address<br />
<br />
<br />
<br />
= Dicas e Truques =<br />
<br />
== Túnel criptografado ==<br />
Isso é muito útil para usuário de notebook conectado a várias redes inseguras. A única coisa que você precisa é um servidor ssh sendo executado em alguma localização segura, como sua casa ou trabalho. Pode ser util fazer uso de um serviço de DNS dinâmico como [http://www.dyndns.org/ DynDNS] assim você não precisa lembrar o seu endereço IP.<br />
<br />
=== Primeiro Passo: Iniciar a Conexão ===<br />
Você tem apenas que executar esse único comando no seu terminal favorito para iniciar a conexão:<br />
$ ssh -ND 4711 usuario@host<br />
onde {{Codeline|"usuario"}} é o seu usuário no servidor SSH executando em {{Codeline|"host"}}. Ele irá pedir sua senha, e então você estará conectado! A opção {{Codeline|"N"}} desabilita o "prompt" interativo, e a opção {{Codeline|"D"}} especifica a porta local na qual ele ouvirá (você pode escolher qualquer numero de porta de sua preferência).<br />
<br />
Uma forma de fazer isso mais facil é colocar um atalho no seu arquivo {{Filename|~/.bashrc}} da seguinte forma:<br />
alias sshtunnel="ssh -ND 4711 -v user@host"<br />
É interessante adicionar a opção de verbosidade {{Codeline|"-v"}}, porque então você pode verificar que está realmente conectado pela saída. Agora você precisa executar apenas{{Codeline|"sshtunnel"}} :)<br />
<br />
=== Segundo Passo: Configure seu Navegador ( e/ou outros programas )===<br />
<br />
O passo acima é completamente inútil se você não configurar seu navegador ( ou outros programas) para usar o novo túnel. Desde que a versão atual do SSH suporta SOCKS4 e SOCKS5, você pode usar qualquer um deles.<br />
<br />
* Para o Firefox:''Editar &rarr; Preferências &rarr; Avançado &rarr; Rede &rarr; Configurar Conexão &rarr;'':<br />
: Marque a opção ''"Configuração manual de proxy"'', e digite "localhost" no campo''"SOCKS"'', e então o número da porta no campo seguinte (acima eu utilizei 4711).<br />
<br />
* Para o Chromium: você terá que configurar as variáveis de ambiente. Eu recomento adicionar as seguintes linhas ao seu .bashrc:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
<br />
Agora abra um terminal e faça:<br />
$ secure_chromium<br />
<br />
Aproveite o seu túnel seguro!<br />
<br />
== Encaminhamento X11 ==<br />
Para executar aplicativos gráficos através de uma conexão SSH você pode habilitar o "X11 forwarding". <br />
Uma opção precisa ser definida nos arquivos de configuração do servidor e do cliente (aqui "cliente" quer dizer o seu computador onde o servidor X11 é executado, e você irá executar aplicativos X no "servidor").<br />
<br />
Instalando xorg-xauth no servidor:<br />
# pacman -S xorg-xauth<br />
<br />
* Habilite a opção '''AllowTcpForwarding''' no arquivo {{Filename|sshd_config}} no '''server'''.<br />
* Habilite a opção '''X11Forwarding''' no arquivo {{Filename|sshd_config}} no '''server'''.<br />
* Defina a opção '''X11DisplayOffset''' no arquivo {{Filename|sshd_config}} no '''server''' para 10.<br />
* Habilite a opção '''X11UseLocalhost''' no arquivo {{Filename|sshd_config}} no '''server'''.<br />
* Habilite a opção '''ForwardX11''' no arquivo {{Filename|ssh_config}} no '''client'''.<br />
<br />
Para usar o encaminhamento, conecte no seu servidor pelo ssh:<br />
# ssh -X -p port user@server-address<br />
Se vocẽ receber erros ao tentar executar um aplicativo gráfico, tente usar o encaminhamento confiável então:<br />
# ssh -Y -p port user@server-address<br />
Agora você pode iniciar qualquer aplicativo X no servidor remoto, a saída será redirecionada para a sua sessão local:<br />
# xclock<br />
<br />
Se você receber erros "Cannot open display", tente o seguinte comando como root:<br />
$ xhost +<br />
<br />
o comando acima irá permitir que qualquer um encaminhe aplicativos X11. Para restringir o encaminhamento a um determinado host:<br />
$ xhost +hostname<br />
<br />
onde hostname é o nome do host ao qual você quer encaminhar. Digite "man xhost" para mais detalhes.<br />
<br />
Seja cuidadoso com alguns aplicativos que checam por uma instância na maquina local. O Firefox é um exemplo. Feche o Firefox ou use o seguinte parâmetro de inicialização para iniciar uma instância na maquina local:<br />
$ firefox -no-remote<br />
<br />
== Acelerando o SSH ==<br />
Você pode fazer todas as sessões ao mesmo host utilizarem uma única conexão, o que irá acelerar muito os logins subsequentes, ao adicionar a seguinte linha abaixo do host apropriado em {{Filename|/etc/ssh/ssh_config}}:<br />
ControlMaster auto<br />
ControlPath ~/.ssh/socket-%r@%h:%p<br />
<br />
Alterando as cifras utilizadas pelo SSH para aquelas que requerem menos processamento pode melhorar a velocidade. Nesse aspecto as melhores escolhas são arcfour e blowfish-cbc. '''Por favor, não faça isso a menos que saiba o que estás fazendo;arcfour tem várias vulnerabilidades conhecidas'''. Para usá-las, execute o ssh com a opção {{Codeline|"c"}}, assim:<br />
# ssh -c arcfour,blowfish-cbc user@server-address<br />
Para usá-las permanentemente, adicione a seguinte linha abaixo do host apropriado em {{Filename|/etc/ssh/ssh_config}}:<br />
Ciphers arcfour,blowfish-cbc<br />
Outra opção para melhorar a velocidade é ativar a compressão com a opção {{Codeline|"C"}}. Uma solução permanente para isso é adicionar a seguinte linha abaixo do host apropriado em {{Filename|/etc/ssh/ssh_config}}:<br />
Compression yes<br />
O tempo de login pode ser reduzido utilizando a opção {{Codeline|"4"}}, que pula a pesquisa em IPv6.<br />
Isso pode ser feito permanentemente adicionando a seguinte linha abaixo do host apropriado em {{Filename|/etc/ssh/ssh_config}}:<br />
AddressFamily inet<br />
Outra forma de fazer essas mudanças permanentes é criar um atalho em {{Filename|~/.bashrc}}:<br />
alias ssh='ssh -C4c arcfour,blowfish-cbc'<br />
<br />
=== Resolução de Problemas ===<br />
<br />
Certifique-se de que a variável DISPLAY está corretamente configurada no servidor remoto:<br />
<br />
ssh -X user@server-address<br />
server$ echo $DISPLAY<br />
localhost:10.0<br />
server$ telnet localhost 6010<br />
localhost/6010: lookup failure: Temporary failure in name resolution <br />
<br />
isso pode ser resolvido adicionando localhost ao arquivo {{Filename|/etc/hosts}}.<br />
<br />
== Montando um Sistema de Arquivos Remoto com SSHFS ==<br />
<br />
Instale o sshfs<br />
# pacman -S sshfs<br />
<br />
Carregue o módulo Fuse para a memória<br />
# modprobe fuse<br />
Adicione fuse à lista de módulos no arquivo {{Filename|/etc/rc.conf}} para carregá-lo na inicialização do sistema.<br />
<br />
Monte o diretório remoto usando sshfs<br />
# mkdir ~/remote_folder<br />
# sshfs USER@remote_server:/tmp ~/remote_folder<br />
<br />
O comando acima irá fazer com que a pasta /tmp no servidor remoto seja montada como ~/remote_folder na maquina local. Copiando qualquer arquivo para essa pasta irá em cópia transparente através da rede usando SFTP. O mesmo ocorre quanto a edição, criação ou remoção de arquivos.<br />
<br />
Quando terminarmos de utilizar o sistema de arquivos remoto, podemos desmontar o diretório remoto fazendo:<br />
# fusermount -u ~/remote_folder<br />
<br />
Se trabalharmos nessa pasta numa base diária, ele irá sabiamente adicionar à table de sistemas de arquivo {{Filename|/etc/fstab}}. Desse forma ele pode ser automaticamente montado pelo sistema durante a inicialização ou manualmente (se a opção {{Codeline|noauto}} for escolhida) sem a necessidade de especificar a localização remota a cada vez. Aqui uma entrada de exemplo da tabela:<br />
sshfs#USER@remote_server:/tmp /full/path/to/directory fuse defaults,auto,allow_other 0 0<br />
<br />
== Mantendo a Sessão Ativa ==<br />
<br />
Sua sessão ssh irá desconectar automaticamente se permanecer ociosa. Para manter a conexão ativa adicione a seguinte linha ao arquivo {{Filename|~/.ssh/config}} ou para {{Filename|/etc/ssh/ssh_config}} no cliente.<br />
<br />
ServerAliveInterval 120<br />
<br />
Isso irá enviar um sinal "keep alive" para o servidor a cada 120 segundos.<br />
<br />
Reciprocamente, para manter conexões de entrada ativas, você pode definir<br />
<br />
ClientAliveInterval 120<br />
<br />
(ou algum outro número maior que 0) no arquivo {{Filename|/etc/ssh/sshd_config}} no servidor.<br />
<br />
== Salvar os dados da conexão em .ssh/config ==<br />
<br />
Sempre que você quer conectar a um servidor, você normalmente precisa digitar ao menos o endereço e o seu usuário. Para evitar o trabalho de digitar os servidores que você regularmente conecta, você pode utilizar o arquivo {{Filename|$HOME/.ssh/config}} como mostrado no exemplo:<br />
<br />
{{File|name=$HOME/.ssh/config|content=<br />
<br />
Host myserver<br />
HostName 123.123.123.123<br />
Port 12345<br />
User bob<br />
Host other_server<br />
HostName test.something.org<br />
User alice<br />
CheckHostIP no<br />
Cipher blowfish<br />
}}<br />
<br />
Agora vocẽ pode simplesmente conectar ao servidor usando o nome que você especificou:<br />
<br />
$ ssh myserver<br />
<br />
Para ver uma lista completa de possíveis opções, cheque a pagina de manual do ssh_config no seu sistema ou a [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config Documentação do ssh_config] no site official em inglês.</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Acer_Aspire_One_D260&diff=133835Acer Aspire One D2602011-03-16T04:30:56Z<p>Sironitomas: </p>
<hr />
<div>{{Article summary start}}<br />
{{Article summary text| Information about configuring Arch on this netbook }}<br />
{{Article summary end}}<br />
<br />
==Known Hardware==<br />
<br />
# Processor: Intel Atom N475<br />
# Grapchis: Intel GMA 3150<br />
# Network: Atheros<br />
<br />
{{Command|name=lspci|output=<br />
00:00.0 Host bridge: Intel Corporation N10 Family DMI Bridge<br />
00:02.0 VGA compatible controller: Intel Corporation N10 Family Integrated Graphics Controller<br />
00:02.1 Display controller: Intel Corporation N10 Family Integrated Graphics Controller<br />
00:1b.0 Audio device: Intel Corporation N10/ICH 7 Family High Definition Audio Controller (rev 02)<br />
00:1c.0 PCI bridge: Intel Corporation N10/ICH 7 Family PCI Express Port 1 (rev 02)<br />
00:1c.1 PCI bridge: Intel Corporation N10/ICH 7 Family PCI Express Port 2 (rev 02)<br />
00:1d.0 USB Controller: Intel Corporation N10/ICH 7 Family USB UHCI Controller #1 (rev 02)<br />
00:1d.1 USB Controller: Intel Corporation N10/ICH 7 Family USB UHCI Controller #2 (rev 02)<br />
00:1d.2 USB Controller: Intel Corporation N10/ICH 7 Family USB UHCI Controller #3 (rev 02)<br />
00:1d.3 USB Controller: Intel Corporation N10/ICH 7 Family USB UHCI Controller #4 (rev 02)<br />
00:1d.7 USB Controller: Intel Corporation N10/ICH 7 Family USB2 EHCI Controller (rev 02)<br />
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e2)<br />
00:1f.0 ISA bridge: Intel Corporation NM10 Family LPC Controller (rev 02)<br />
00:1f.2 SATA controller: Intel Corporation N10/ICH7 Family SATA AHCI Controller (rev 02)<br />
00:1f.3 SMBus: Intel Corporation N10/ICH 7 Family SMBus Controller (rev 02)<br />
01:00.0 Ethernet controller: Atheros Communications AR8152 v1.1 Fast Ethernet (rev c1)<br />
02:00.0 Network controller: Atheros Communications Inc. AR9285 Wireless Network Adapter (PCI-Express) (rev 01)}}</div>Sironitomashttps://wiki.archlinux.org/index.php?title=Acer_Aspire_One_D260&diff=133831Acer Aspire One D2602011-03-16T04:19:58Z<p>Sironitomas: Created page with "{{Article summary start}} {{Article summary text| Information about configuring Arch in }} {{Article summary end}}"</p>
<hr />
<div>{{Article summary start}}<br />
{{Article summary text| Information about configuring Arch in }}<br />
{{Article summary end}}</div>Sironitomas