Fatdog64-720 and 721 Final [11 Jan 2018]

A home for all kinds of Puppy related projects
Message
Author
User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#361 Post by rufwoof »

I've changed tmux so that it actually loads X under user now

# Add yet another tmux window that we run X from as userid user
tmux new-window -t work
tmux rename-window -t work xwin
tmux send-keys -t work 'su - user' C-m
tmux send-keys -t work 'xwin' C-m

as that way once twin is run it auto starts the X desktop, and ctrl-alt-F1 to console has you sent back to tmux with the sh, mc, htop, and xwin running sessions. Using chvt 1 (for tmux) chvt 4 (for X) commands can be employed in key bindings or desktop icons to save having to use the ctrl-alt-fn key combination to flip between the two.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
dr. Dan
Posts: 96
Joined: Mon 20 Apr 2015, 17:45
Location: Oregon, U.S.A.

#362 Post by dr. Dan »

dr. Dan wrote:Considering rufwoof's most recent post, would using a non-root account and using spot for all online activities be even more secure? I'm asking out of curiosity.
Dan
While I appreciate rufwoof's reply, and I'm learning quite a bit from his posts, my question was about Linux in general and Fatdog64 in particular. Any other thoughts, anyone?
Dan

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

jwm

#363 Post by rufwoof »

jwm config file syntax/format does not match the jwm version installed. Later syntax uses the likes of a Active tag between which you can specify Foreground and Background type tag values whereas the installed version is using older ActiveForeground type tags.

Also mtpaint.desktop isn't being picked up and added to the jwm menu.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#364 Post by rufwoof »

jamesbond wrote:
spot is a member of the video group, so can simply watch /dev/fb0
Or you can take spot out of video group, or close access to /dev/fb0 (using udev rules or simply chmod 0600 /dev/fb0 in rc.local).
Reverted back to using xorg - as its much quicker at flipping between sessions (ctrl-alt-F1 - tmux, ctrl-alt-F4 xwin (user)). I was trialing having ctrl-alt-F5 as a xwin root session also running and under xorg its near instant to ctrl-alt-fn flip between them, xvesa has a noticeable lag. xorg is also nice for capturing video/images of the console (I've added chmod 0600 /dev/fb0 to rc.local).

My boot sequence is still the same, boot nox, auto logs in as root (cli) and in .profile I test to see if tmux is running, if not then it runs twin (that loads the various tmux windows, starts X as user ...etc.). As X starts it automatically grabs the focus, so you in effect boot to gui desktop by default.

I see that the pre-cursor to tmux (screen) is in the repo (gslapt). tmux is much nicer IMO.

Made a start on cli versions of admin commands being stored in a dedicated folder, as that expands I might structure it to be like a menu directory hierarchy. mc with lynx style selected (off by default) is nice in that up/down arrow to move through a directory, left/right to move up/down the directories.

I've set my openbsd (data) box to be mounted under /root ... so even when mounted the files are hidden from user (root can be used to copy files in/out of what user can see/use).

Odd, I used fbgrab to capture the console as per the attached and that was a 25KB .png file. Used mtpaint to reduce it down from 1440x900 to 600 wide for forum posting ... and the filesize increased to 139KB !! jpeg came in at 70K.
Attachments
fb.jpg
(69.77 KiB) Downloaded 703 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

cwm skippy-xd

#365 Post by rufwoof »

Many don't like cwm initially, but with persistence it grows on you. Nice for laptops where the touchpad/mouse is awkward as you can do many things using just the keyboard. Many OpenBSD developers use cwm and its a integral part of the base OpenBSD OS.

I installed xdotool from gslapt. Downloaded and compiled cwm and skippy-xd from github (make;make install), created my own /home/user/.xinitrc to invoke a script called hotcorners prior to starting cwm ... and it all seems to be working. Mouse into the top left corner and up pops cwm application menu. Mouse into the bottom left corner and skippy-xd shows a view of all open windows where you can click to raise a window, maximise a 'iconified' window or close windows.

Code: Select all

#!/bin/ash
# .xinitrc
# Had to install xdotool from gslapt, skippy-xd and cwm from github
./hotcorners &
exec cwm

Code: Select all

# .cwmrc
# 
gap                             2 0 0 0
ignore                          xclock
ignore                          xload
color inactiveborder            Black
color activeborder              "#494949" 
color groupborder               "#01a252"
color urgencyborder             "#3d9751"
color selfont                   "#0034A9"
color font                      "#FFFFFF"
color menufg                    "#49F6F6"
color menubg                    "#333333"
#fontname                       "DejaVu Sans:size=11:antialias=true"
fontname                        "News10:size=11:antialias=true"
bind-key 						M-w menu-cmd  # used in hotcorners
command " xterm "               "/usr/bin/env LANG=en_US.UTF-8 xterm -fa DejaVu:size=11"
command " tmux "                "/usr/bin/env LANG=en_US.UTF-8 xterm -fa DejaVu:size=11 -e tmux"
command " seamonkey "           "seamonkey"
command " geany "				"geany"
command " mtpaint "				"mtpaint"
command " galculator "			"galculator"
command " writer "				"soffice --writer"
command " spreadsheet "			"soffice --calc"

Code: Select all

#!/bin/sh
#
# Script to monitor mouse position and run skippy-xd (assumed to already be installed)
# whenever the mouse is moved into the bottom left corner (like a hot corner)
# and runs alt+w space when mouse into top left corner, that is set to open
# the cwm applications menu in .cwmrc and show all menu entries assuming they've been
# defined as having a space in the name i.e. command " quit " "pkill cwm"
#
# Requires xdotool (installpkg xdotools)
#

# Retreive screen height
SCREEN_HEIGHT=`xwininfo -root|sed '/Height/!d;s/.* //'`
# subtract 1 as 0..899 for 900 xwininfo height screen
SCREEN_HEIGHT=`expr ${SCREEN_HEIGHT} - 1`  
BOTTOM_LEFT="0x${SCREEN_HEIGHT}"
TOP_LEFT="0x0"
while : ;do
CURRENT_MOUSE_POSITION=`xdotool getmouselocation | sed 's/ sc.*//; s/.://g; s/ /x/'`
if [ "$CURRENT_MOUSE_POSITION" = "$BOTTOM_LEFT" ]; then
    skippy-xd
else
    if [ "$CURRENT_MOUSE_POSITION" = "$TOP_LEFT" ]; then
    # Assumes bind-key M-w menu-cmd ... is set in .cwmrc
    xdotool mousemove 60 60  # move mouse away from corner so doesn't retrigger
    xdotool key alt+w space  # key combination to launch applications>>
    # Note we add a space so it shows our menu entries with a space
    # and I set all menu entries with names of " abc " format
   fi
fi
sleep 0.2
done
Alternative to the hotcorners script there is a program called something like brightside but I've not found the source after a very cursory scan around.

When you first start the default cwm - its just a black screen with a mouse cursor. Typically you use ctrl-alt-enter to launch a xterm and go from there. With the above, mousing into the top left corner presents the menu. I also leave a gap of 2 pixels at the top of screen so you can use the left/middle/mouse clicks in that area whenever a window is maximised. Toggle Maximise with ctrl-alt-M, close a window with ctrl-alt-X (sort of crab like finger arrangement), alt-tab between windows (or mouse into the bottom left corner to pick one) ...etc. Takes some practice, but after a while becomes so natural you end up loving it, and miss the simplicity in other window managers. Move a window by pressing alt and left mouse drag, resize a window with alt and middle mouse drag ...etc.

For a slightly nicer background you can add a command such as

Code: Select all

xsetroot -bg \#222222 -mod 3 3 &
into .xintrc, or use a program such as feh to display a wallpaper image.

Attached image shows the screen where there are 3 maximised windows running and I mouse into the bottom left corner (i.e.skippy-xd). Those windows are seen live, i.e. if you're watching a video then the skippy overview window also has the video showing.
Attachments
s2.jpg
left mouse desktop when wallpaper xsetroot -bg \#222222 -mod 3 3 &
(31.37 KiB) Downloaded 651 times
s.jpg
(31.71 KiB) Downloaded 652 times
Last edited by rufwoof on Fri 31 Aug 2018, 22:03, edited 2 times in total.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

cwm and rox

#366 Post by rufwoof »

A deficiency of rox under cwm - that has no window decorations, is that it doesn't show which folder you're viewing. skippy-xd comes to the rescue as when viewed in skippy, mouse over the window shows the folder rox is viewing.

You can also adjust the rox menu bar to include a close (x) button.
Attachments
s3.jpg
(59.88 KiB) Downloaded 641 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

Radeon lock-ups (glamor vs exa)

#367 Post by rufwoof »

Wished I'd see this some time back. Using another OS I encountered periodic lock-ups when I ran a large find or tar operation in xterm - that showed lots of files rapidly being processed/listed.

http://distro.ibiblio.org/fatdog/web/faqs/radeon.html

Turned out switching from glamor to EXA was the trick to resolve that.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

Reverse sshfs

#368 Post by rufwoof »

With sshfs you can mount a remote folder as a local folder, so you can open it with rox or whatever - just like any other local folder. But that involves creating a ssh session, which involves having to enter a password (or having keys).

My setup is a Virgin (ISP provider) hub (router), behind which my Fatdog liveCD Desktop system sits, no attached HDD's, just boot it, use it, shutdown without saving, or if I do make configuration changes ... boot it, configure it, save those changes to a multisession DVD disc save file.

I've always preferred to take the view that my system has been compromised - excepting perhaps when I freshly boot a pristine OS and programs (browser etc.). So for banking I'll cold boot, go direct to the banks web site with no addons etc added, do my business activities ... and reboot again. Little opportunity to be hacked/compromised. For the rest of time I just assume I've been compromised and treat the system the same as I would using a public library PC or public wireless connection.

To secure my data, I keep that on another box (running base OpenBSD). But rather than having to enter a password to connect to that, potentially with that password being unwantedly seen/used by another, I've set it up so that the OpenBSD box reverse sshfs connects to my fatdog box. The OBSD box sits behind another router where port forwarding isn't active, including for ssh, but that box can still ssh to the fatdog box ... its as though the fatdog box was just external like any other system.

To set things up the OBSD box needs sftp-server to be installed, and the script I use was written for bash, so I have installed that (pkg_add bash) as I've been too lazy to convert it to ksh.

The fatdog box needs fuse and sshfs, both I believe are installed by default. Whilst rsshfs states that the user needs to be a member of group fuse, rsshfs to fatdog seems to work fine without that.

On the OBSD box I run rsshfs (reverse sshfs), so that it mounts a OBSD folder on the fatdog box, that fatdog can then use a work/storage area. That OBSD folder is at risk, files could be deleted/changed etc. but I only use the OBSD box purely as a data storage server, so copies of that folder are backed up regularly to another folder. There's no way for a compromised fatdog to attack the OBSD box, it can't see any passwords used to connect to the OBSD box as the connection is made from the OBSD box that fatdog can't even see (behind a router/firewall, so doesn't even respond to pings, let alone brute force attacks of ssh port(s)).

Format of the command is something like

Code: Select all

./rsshfs /local_OBSD_folder user@fatdog_IP:/home/OBSD-DATA
after which you enter the password for user on fatdog (I've changed mine from the default woofwoof), and then it just sits there (doesn't return to the command prompt as it continually runs, maintaining the connection).

To activate sftp-server on fatdog? All already done as part of the default base install. No further configuring/tweaks required.

The rsshfs script is available from https://github.com/rom1v/rsshfs/blob/master/rsshfs (big thanks to Romain Vimont), the only change I had to make was to set the bash header to #!/usr/local/bin/bash and change the sftp-server command line to /usr/libexec/sftp-server, so the relevant code snippet now looks like ...

Code: Select all

    mkfifo -m600 "$fifo" &&
    < "$fifo" /usr/libexec/sftp-server "${sftpargs[@]}" |
      ssh "$rhost" sshfs -o slave ":$qlpath" "$qrpath" "$qall" > "$fifo"
With such a setup, its reasonable to run fatdog as root, as that involves far less entering of any passwords that might be eavesdropped; Whilst the hardware is safe (DVD-R write once boot media, no local storage), and your data is isolated/secure - without having to connect to that data using a password that could be captured/used.

Attached df -h is as user sees it (in having been mounted to user), if root runs df -h ... the rsshfs mount isn't even visible.

EDIT : A thought comes to mind that I have previously tweaked my /etc/ssh config files to keep sessions alive (I use 120 second intervals and counts of 10000 settings). Not sure what the defaults are so something to keep in mind to address if after a while your sshfs sessions lock up).

EDIT2 : I did compile and try using sshpass and edited the rsshfs script to use that ... without success (wouldn't authorise). That would have left no security files on fatdog. Instead, so it connects in the background, I generated a key pair on openbsd (ssh-keygen, opting for blank password), and copied the public key to fatdogs /home/user/.ssh and then created a authorized_keys adding the id_rsa.pub file content to that authorized_keys file - so now (after tweaking fatdogs /etc/ssh/sshd.conf to use keys rather than passwords) OpenBSD can ssh connect to fatdog without having to enter a password - which means I can better control establishing a data connection. I've added su - user /home/user/fatdog-mount ... to my OpenBSD /etc/rc.local so it auto logs into user on bootup and runs my rsshfs connection script. I'm about to edit that so when it drops (such as fatdog is rebooted/shutdown) then it sits in a while loop looking for it to come back up again before looping around to run the rsshfs connection again (remounts automatically each time fatdog is booted, or if the OpenBSD server is rebooted). Would have been nice to have no keys on fatdog, but a OpenBSD public key for it to autologin to fatdog is a trivial thing, as even if that could be decrypted it only reveals the fatdogs password, which in a dark hat having gained access to obtain the public key is pretty much meaningless/useless.
Attachments
network600.jpg
(47.55 KiB) Downloaded 547 times
xscreenshot-20180902T000841.jpg
(66.25 KiB) Downloaded 604 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

rsshfs - food for thought

#369 Post by rufwoof »

To add some more meat to the bone, consider my previous post, but where instead of rsshfs connecting to a local IP such as 192.168.1.4 - you used a domain name instead, and installed a dynamic domain name service (that directs a fixed domain name to a dynamic IP address i.e. wherever your desktop system might appear, anywhere in the world).

You boot your desktop system (laptop/whatever) and provided its running a ddns and sshd, then shortly after booting your data server connects and mounts a folder for one of the data servers folders on that laptop - that you can open using rox or whatever and edit etc. those files. All routed via ssh tunnels, and where the data server initiates the connection (but can't be accessed in the opposite direction i.e. ssh is blocked). And that could apply to different devices - anything that could run ddns and sshd.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#370 Post by rufwoof »

Fatdog with twm as the console, cwm - with skippy and xlunch (launched using a hot corner script) ... has a nice feel as a desktop IMO http://murga-linux.com/puppy/viewtopic. ... 78#1003778 - Good flexibility in being able to navigate/run the system using either predominately mouse or predominately keyboard.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#371 Post by rufwoof »

FatDog multisession liveDVD, openbsd data server that hunts down that fatdog and reverse sshfs mount its data folder whenever fatdog pops up on line (data server is behind a firewall so no ssh possible in the opposite direction).

Boots nox, auto logs in and tmux runs, creating a xwin window and starts X in one of the tmux windows, so when you ctrl-alt-F1 out of X to the console you switch into that tmux console session (that can have multiple windows/panes etc.). First image below is a image of that actual console captured using fbgrab (didn't scale well).

X/cwm has conky as its 'desktop wallpaper', I've tweaked the default config you get when you install conky from gslapt to show more lines of connections (network activity). 2nd image below.

3rd image shows cwm menu launched by clicking on the desktop.

4th image shows how I leave a 2 pixel gap at the top of screen (defined in .cwmrc) so I can still pop up the cwm menu by clicking in that region even when a window is maximised.

5th image show xlunch. I've tweaked its file to show the programs I use more often and in the order of my choosing. I've set xlunch to launch by moving the mouse into the bottom left screen corner. I also have alt-w set as a keybinding to launch xlunch.

2nd to Last image shows skippy-xd, which I have set to show when I mouse into the top right corner. That shows live images of all open windows and you can maximise/minimise/close/switch to any of those windows using the mouse. I also have a keybinding for alt-s to launch skippy-xd.

Last image shows standard cwm exec (alt-?) where you type the first letter of a program name and it filters ... filtering more as additional letters are typed and you can use the arrow keys to select one, or continue typing until there's a single unique program name and press enter to launch it.

cwm window manager is normally considered good for predominate keyboard usage - such as laptops. Adding xlunch and skippy-xd extends cwm into the mouse predominant usage arena. Configuration is minimalist and it leaves the desktop clean (I have conky showing as my desktop, but it could be just a background picture with no icons, panel ...etc.).

Note that tmux, cwm, skippy-xd and xlunch were all compiled - they're not available in the gslapt repo.

Pretty much there for me, so I've "de-fragmented" all of the DVD saves into a single savefile (that's around 22MB in size). i.e. burnt the fatdog iso to a clean DVD, using the existing session (with many save files), and then with that dvd still left in the drive run Save Session.
Attachments
console.png
(1003 Bytes) Downloaded 398 times
conky.png
(90.88 KiB) Downloaded 437 times
menu.png
(82.16 KiB) Downloaded 392 times
max.png
(117.21 KiB) Downloaded 393 times
xlunch.png
(61.81 KiB) Downloaded 410 times
skippy.png
(50.85 KiB) Downloaded 426 times
exec.png
(88.78 KiB) Downloaded 388 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

step
Posts: 1349
Joined: Fri 04 May 2012, 11:20

#372 Post by step »

@rufwoof,

speaking for myself, I really like the things you've recently presented in this thread. It's an unconventional, very creative configuration that makes me stop and think how differently we could approach common computing needs, such as security, usability and minimalism. Thank you for sharing.
rufwoof wrote:openbsd data server that hunts down that fatdog and reverse sshfs mount its data folder
I really like this idea, the user doesn't need to do anything to connect to the server, multiple servers if need be.
Note that tmux, cwm, skippy-xd and xlunch were all compiled - they're not available in the gslapt repo.
I thought that tmux, albeit an older version, was available from gslapt. I know I attached a newer version to this thread. I could upload it to glslapt (contrib). Indeed I could compile and upload the other three packages, too. runwoof, would you PM me with download links and compiler flags (if non-standard) for those source trees? Did you need to add *.desktop files?
[url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Fatdog64-810[/url]|[url=http://goo.gl/hqZtiB]+Packages[/url]|[url=http://goo.gl/6dbEzT]Kodi[/url]|[url=http://goo.gl/JQC4Vz]gtkmenuplus[/url]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#373 Post by rufwoof »

Hi Step. Slipped my mind that tmux was already in gslapt as I used the version you yourself supplied in http://murga-linux.com/puppy//viewtopic ... 38#1002738.

I've not created or changed any .desktop files.

I did build install sc0ttman's version of xlunch http://murga-linux.com/puppy//viewtopic ... 38#1003438, but also its parent from http://xlunch.org/ without having properly tidied things up, and then sc0ttman's again, so I may have a bit of a mix/mess installed in that respect.

cwm was installed from https://github.com/chneukirchen/cwm

IIRC I believe I installed skippy-xd using https://github.com/richardgv/skippy-xd, however there are several github versions that I also looked at so not 100% sure.

No tweaks/changes on my behalf, just literally compiled as supplied for each/all of those. My C skills are low, and I didn't even use git pulls, just downloaded, unzip'd, extracted and (with ./configure in some cases) make;make install.

I changed .xinit to comment out the bottom part of code (that does the window manager launching bit), to instead be hard coded (after the start late-start-apps that looks like ...

Code: Select all

### start late-start apps                                                       
rm -f $F_NO_FREEMEM_APPLET                                                      
/etc/rc.d/rc.Xservices &                                                    
                                                                   
xsetroot -bg \#222222 -mod 3 3 &                                                
/root/conky.sh &                                                                
/root/hotcorner &                                              
cwm
where my /root/.cwmrc looks like

Code: Select all

# .cwmrc                                                            
#                                                                   
gap                             30 0 0 0                            
ignore                          xclock                              
ignore                          xload                               
color inactiveborder            Black                               
color activeborder              "#494949"                           
color groupborder               "#01a252"                           
color urgencyborder             "#3d9751"                           
color selfont                   "#0034A9"                           
color font                      "#FFFFFF"                           
color menufg                    "#49F6F6"                           
color menubg                    "#333333"                           
#fontname                       "DejaVu Sans:size=11:antialias=true"
fontname                        "News10:size=11:antialias=true"
bind-key CM-comma               "mixerctl outputs.master=-5"
bind-key CM-period              "mixerctl outputs.master=+5"
#bind-key M-w                   menu-cmd                 
bind-key M-w                    "/root/xlunch.sh"        
bind-key M-s                    "/root/skippy-xd.sh"     
                                                         
command " xkill "               "xkill"                  
command " xterm "               "xterm"  
     command " seamonkey-spot "      "seamonkey-spot"                    
command " seamonkey-root "      "seamonkey"                         
command " geany "               "geany"                             
command " rox "                 "rox"                               
command " mc "                  "xterm mc"                          
command " mtpaint "             "mtpaint"                           
command " htop "                "xterm htop"                        
command " galculator "          "galculator"                        
command " scalc "               "soffice --calc"                    
command " writer "              "soffice --writer"             
command " control panel "       "fatdog-control-panel.sh"   
command " isomaster "           "isomaster"                 
command " pburn "               "pburn"                  
command " peasy disc "          "peasydisc"              
command " mount sr0 "           "/root/Admin/mount-sr0"  
command " umount sr0 "          "/bin/umount /mnt/sr0"   
command " exit "                "pkill cwm"      
I've changed your default conky config that installs from gslapt to have the full date and time, date on the left, time on the right, all on the single line and that takes up around 30 pixels height, so I've adjusted cwm to leave a 30 pixel gap at the top of screen (gap 30 0 0 0) - so it looks like a panel, but is desktop so can be left/middle/right mouse pressed as per normal cwm, and I've also set the top left and top right corners to be hot corners. Where /root/hotcorner that is launched in .xinitrc looks like (note it needs xdotools to be installed from gslapt) ...

Code: Select all

#!/bin/sh
#
# Script to monitor mouse position and run skippy-xd (assumed to already be installed)
# whenever the mouse is moved into the bottom left corner (like a hot corner)
# and runs alt+w space when mouse into top left corner, that is set to open
# the cwm applications menu in .cwmrc and show all menu entries assuming they've been
# defined as having a space in the name i.e. command " quit " "pkill cwm"
#
# Requires xdotool (pkg_add xdotool)
#

# Already running ? (we have to count the grep itself)
TST=`ps -aux | grep hotcorner | wc -l`
if [ $TST -gt 3 ]; then
	exit
fi
# Retreive screen height
SCREEN_HEIGHT=`xwininfo -root|sed '/Height/!d;s/.* //'`
# subtract 1 as 0..899 for 900 xwininfo height screen
SCREEN_HEIGHT=`expr ${SCREEN_HEIGHT} - 1`
SCREEN_WIDTH=`xwininfo -root|sed '/Width/!d;s/.* //'` 
SCREEN_WIDTH=`expr ${SCREEN_WIDTH} - 1`
BOTTOM_LEFT="0x${SCREEN_HEIGHT}"
TOP_LEFT="0x0"
TOP_RIGHT="${SCREEN_WIDTH}x0"
BOTTOM_RIGHT="${SCREEN_WIDTH}x${SCREEN_HEIGHT}"
while : ;do
CURRENT_MOUSE_POSITION=`xdotool getmouselocation | sed 's/ sc.*//; s/.://g; s/ /x/'`
if [ "$CURRENT_MOUSE_POSITION" = "$TOP_RIGHT" ]; then
	xdotool mousemove $SCREEN_WIDTH 5  # move mouse away from corner so doesn't retrigger
	if [ -z `ps -aux | grep "xlunch --input" | grep font` ]; then  # Don't run skippy and xlunch
		skippy-xd
		xrefresh  # skippy issue, screen not always refreshed
	fi
else
    if [ "$CURRENT_MOUSE_POSITION" = "$TOP_LEFT" ]; then
		if [ -z `ps -aux | grep "xlunch --input" | grep font` ]; then # don't duplicate xlunch runs
			# Note this assumes that xlunch.sh launch command has xlunch --input ... format
			# Assumes bind-key M-w menu-cmd ... is set in .cwmrc
			xdotool mousemove 0 5      # move mouse away from corner so doesn't retrigger
			xdotool key alt+w   	   # if using xlunch don't want space
			# xdotool key alt+w space  # key combination to launch applications>>
			# Note we add a space so it shows our menu entries with a space
			# and I set all menu entries with names of " abc " format
		fi
   fi
fi
sleep 0.2
done
My /root/.profile

Code: Select all

T=`ps -aux | grep tmux | grep work`
[ -z "$T" ] && /root/twin
launches tmux (if its not already running) and as I use noX boot parameter and Fatdog auto logs in as root, at first boot that loads tmux. The /root/.tmux.conf file for that is a bit of a mess, more left like that for reference ...

Code: Select all

# set control key to backtick but also send it i.e. if hit twice then prints the backtick             
unbind C-b                                                                                            
set-option -g prefix `                                                                                
bind ` send-prefix                                                                                    
                                                                                                      
bind -T copy-mode-vi PageDown          send-keys -X page-down                                         
bind -T copy-mode-vi PageUp            send-keys -X page-up                                           
                                                                                                      
# mc uses F1 to F10, so moved up to F11 and F12                                                       
bind-key -n F12 next-window                                                                           
bind-key -n F11 new-window                                                                            
#bind-key -n F3 kill-window                                                                           
                                                                                                      
# Console tmux and this has - and | instead of ? for borders                                          
# UTF-8 must be off                                                                                   
# For OpenBSD ???                                                                                     
#set-option -g terminal-overrides ',*vt*:enacs@:smacs@:rmacs@:acsc@'                                  
                                                                                                      
# split panes using | and -                                                                           
bind = split-window -h                                                                                
bind - split-window -v                                                                                
bind 0 resize-pane -Z                                                                                 
unbind '"'                                                                                            
unbind %                                                                                              
# keycode PageUp switches to Fatdog ctrl-alt-F4 i.e. X/gui                                            
bind PageUp send-keys "chvt 4" Enter 
## switch panes using Alt-arrow without prefix                                                        
#bind -n M-Left select-pane -L                                                                        
#bind -n M-Right select-pane -R                                                                       
#bind -n M-Up select-pane -U                                                                          
#bind -n M-Down select-pane -D                                                                        
                                                                                                      
######################                                                                                
### DESIGN CHANGES ###                                                                                
######################                                                                                
                                                                                                      
## loud or quiet?                                                                                     
#set-option -g visual-activity off                                                                    
#set-option -g visual-bell off                                                                        
#set-option -g visual-silence off                                                                     
#set-window-option -g monitor-activity off                                                            
#set-option -g bell-action none                                                                       
                                                                                                      
#  modes                                                                                              
#setw -g clock-mode-colour colour2                                                                    
setw -g clock-mode-colour yellow                                                                      
setw -g mode-attr bold                                                                                
setw -g mode-fg colour1                                                                               
setw -g mode-bg colour18   

# panes                                                                                               
set -g pane-border-bg colour0                                                                         
set -g pane-border-fg colour19                                                                        
set -g pane-active-border-bg colour0                                                                  
set -g pane-active-border-fg colour9                                                                  
                                                                                                      
# statusbar                                                                                           
# if at top, then gpm (mouse) doesn't work well (offset)                                              
set -g status-position bottom                                                                         
set -g status-justify left                                                                            
set -g status-bg colour18                                                                             
#set -g status-fg colour137                                                                           
set -g status-fg white                                                                                
#set -g status-attr dim                                                                               
set -g status-left ''                                                                                 
#set -g status-right '#[fg=colour233,bg=colour19,bold] %d/%m #[fg=colour233,bg=colour8,bold] %H:%M:%S 
#set -g status-right '#[fg=colour137,bg=colour19,bold] %D/%M/%Y #[fg=colour137,bg=colour8,bold] %H:%M:
set -g status-right '#[fg=colour249,bg=colour19,bold] %a %d %b #[fg=colour249,bg=colour19,bold] %H:%M 
set -g status-right-length 50                                                                         
set -g status-left-length 20                                                                          
                                                                                                      
setw -g window-status-current-fg colour1                                                              
setw -g window-status-current-bg colour19                                                             
setw -g window-status-current-attr bold                                                               
setw -g window-status-current-format ' #I#[fg=colour249]:#[fg=colour255]#W#[fg=colour249]#F '         
                  setw -g window-status-fg colour9                                                                      
setw -g window-status-bg colour18                                                                     
setw -g window-status-attr none                                                                       
setw -g window-status-format ' #I#[fg=colour237]:#[fg=colour250]#W#[fg=colour244]#F '                 
                                                                                                      
setw -g window-status-bell-attr bold                                                                  
setw -g window-status-bell-fg colour255                                                               
setw -g window-status-bell-bg colour1                                                                 
                                                                                                      
# messages                                                                                            
set -g message-attr bold                                                                              
set -g message-fg colour232                                                                           
set -g message-bg colour16                                                                            
                                                                                                      
#hilite current window                                                                                
set-window-option -g window-status-current-bg red                                                     
set-window-option -g window-status-current-fg yellow
I created a /root/twin script

Code: Select all

#!/bin/sh          
#                                                                               
# My tmux initialisation script to initialise tmux windows                   
#                                                                          
                                  
T=`ps -aux | grep tmux | grep work`                                             
[ ! -z "$TMUX" ] && echo Already running && exit              
                        
cd                                   
                                  
# start a tmux session, detach
# then send commands to that before reattaching to it           
# Note that C-m is carriage return (enter)                                    
                        
# create a tmux session called work, and deattach so we can send keys to it
# Create the first window and load htop into that ...
tmux new -s work -d                         
# we leave that first window as a sh type window                                
 
## Add another window and load mc                                  
#tmux new-window -t work                                                        
#tmux rename-window -t work mc
#tmux send-keys -t work 'mc /root/Admin /root' C-m
## Add another tmux window and load htop                                        
#tmux new-window -t work                                                     
#tmux rename-window -t work htop                                           
#tmux send-keys -t work 'htop' C-m                                         
                                                                                
################################################################################
# Following sets up both a user and root X logins, however if others can read   
# root keystrokes under X, then potentially can write them also !!! So best     
# not to run X as root apps at all                                              
################################################################################
## Add yet another tmux window that we run X from as root user                  
#tmux new-window -t work                                                        
#tmux rename-window -t work root-xwin                                           
#tmux send-keys -t work 'xwin' C-m                                              
                                                                                
## Add yet another tmux window that we run X from as userid user                
## i.e. logged in as user, ready to run xwin (running in command doesn't work)  
#tmux new-window -t work                                                        
#tmux rename-window -t work user-xwin                                           
#tmux send-keys -t work 'su - user' C-m                                         
#tmux send-keys -t work 'sleep 5;startx' C-m                                    
################################################################################
                                                       
# Add yet another tmux window that we run X from ### as userid user             
#### i.e. logged in as user, ready to run xwin (running in command doesn't work)
tmux new-window -t work                                                         
tmux rename-window -t work xwin                                                 
#tmux send-keys -t work 'su - user' C-m                                         
tmux send-keys -t work 'xwin' C-m                                               
                                                                                
# and finally select which window to show first and attach to the tmux work session
tmux select-window -twork:0                                                        
tmux attach -t work     
That currently just has two windows open, one a shell command the other the windows that xwin is launched from within.

The /root/.config/skippy-xd/skippy-xd.rc content I have (excluding the header comments) is

Code: Select all

[general]                                                                        
distance = 50                                                                    
useNetWMFullscreen = false                                                 
ignoreSkipTaskbar = true                                                   
updateFreq = 10.0                                                          
lazyTrans = false                                                          
pipePath = /tmp/skippy-xd-fifo                                             
movePointerOnStart = false                                                 
movePointerOnSelect = false   
movePointerOnRaise = false                                                 
switchDesktopOnActivate = false                                         
useNameWindowPixmap = false                              
forceNameWindowPixmap = false  
includeFrame = true                                                    
allowUpscale = false              
showAllDesktops = false                                       
showUnmapped = true            
preferredIconSize = 48                                                       
clientDisplayModes = thumbnail icon filled none                         
iconFillSpec = orig mid mid #00FFFF            
fillSpec = orig mid mid #FFFFFF                
background =                                                                     
                                               
[xinerama]                                     
showAll = true      
[normal]                                                                         
tint = black                                                               
tintOpacity = 0                                                            
opacity = 200                                                              
                                                                           
[highlight]                                                                
tint = #101020                                                             
tintOpacity = 64                               
opacity = 255                                                              
                                                                        
[tooltip]                                                
show = true                                    
followsMouse = true                                                    
offsetX = 20                                   
offsetY = 20                                                  
align = left                                   
border = #ffffff                                                             
background = #404040                                                    
opacity = 128                                  
text = #ffffff                                 
textShadow = black                                                               
font = DejaVu-10                               
                                               
[bindings]                                                               
miwMouse1 = focus                                                            
miwMouse2 = close-ewmh                                                 
miwMouse3 = iconify     
I've also replaced the /etc/xdg/skippy-xd.rc file content with that (made it the system default).

I did add some to /etc/shinit (after the esac)

Code: Select all

if [ ! $DISPLAY ]; then  # root/cli, then set uk keyboard layout
   loadkeys uk
   setfont big
   # Kirk (?) installed bigfont, so we can simply use setfont command to invoke that
   # setfont LatArCyrHeb-16
fi
to use Kirk's bigfont (and set uk keyboard). I also changed the PS1 in that shinit so the relevant code section now looks like

Code: Select all

case $- in 
	*i*)
		# interactive configurations - prompt, history, etc
		# TERM, USER and LOGNAME is already set by login/su
		PS1="$USER$ "; [ $USER = root ] && PS1="\[\e[34;1m\]Pwd: \[\e[36m\]\w\n\[\e[31;1m\]\u@\h> \[\e[32m\]"
		HISTFILE="$HOME/.history"	# ensure all shells use the same history
		
For .Xdefaults I have

Code: Select all

Xft.dpi:                        157
*font:                          -b&h-lucida-medium-r-*-*-24-*-*-*-*-*-iso8859-14
*background:                    #000033
*foreground:                    #FFFFFF
*faceName:                      News10:size=11:antialias=true
*cursorColor:                   LightBlue
!XTerm.vt100.faceName:          DejaVu:size=11:antialias=false
XTerm.vt100.faceName:           News10:size=11:antialias=true
!                               when run xterm runs ~/.profile
XTerm*loginShell:               true
xterm*scrollBar:                false
I added in

Code: Select all

chmod 0600 /dev/fb0
to the end of /etc/rc.d/rc.local to disallow spot access to the console framebuffer

The /root/xlunch.sh script that I'm using contains

Code: Select all

#!/bin/sh
cd /root
# hotcorner looks for xlunch --input ... so ensure to keep the parameters like that in the following
xlunch --input /root/.config/xlunch/my.dsv --scroll --columns 5 --font /usr/share/fonts/X11/TTF/DejaVuSansCondensed-Bold.ttf/14
tains
i.e. I launch my own version of the xlunch menu presented that I've called my.dsv ... a stripped down version of what xlunch presents by default after first installation. For that I created a /root/.config/xlunch/my.dsv containing ...

Code: Select all

X Terminal;/usr/share/pixmaps/midi-icons/console48.png;xterm  
ROX Filer;/usr/share/pixmaps/midi-icons/file-manager48.png;rox
Seamonkey Browser;/usr/share/pixmaps/seamonkey48.png;seamonkey-spot
Galculator;/usr/share/icons/hicolor/48x48/apps/galculator.png;galculator
Geany;/usr/share/icons/hicolor/48x48/apps/geany.png;geany
mtPaint snapshot;/usr/share/pixmaps/mini-icons/mini-camera.xpm;mtpaintsnapshot.sh
mtPaint;/usr/share/pixmaps/mini-icons/mtpaint.xpm;mtpaint
GNU Image Manipulation Program;/usr/share/icons/hicolor/48x48/apps/gimp.png;gimp-2.8
chvt 1;/usr/share/pixmaps/utilities-system-monitor.png;chvt 1
Fatdog64 Control Panel;/usr/share/pixmaps/midi-icons/controlpanel48.png;fatdog-control-panel.sh
Fatdog64 QuickApps;/usr/share/pixmaps/midi-icons/go48.png;fatdog-quickapps.sh
Fatdog Help;/usr/share/pixmaps/midi-icons/help48.png;fatdog-help.sh
LibreOffice Base;/usr/share/icons/libreoffice-base.png;libreoffice --base
LibreOffice Calc;/usr/share/icons/libreoffice-calc.png;libreoffice --calc
LibreOffice Draw;/usr/share/icons/libreoffice-draw.png;libreoffice --draw
LibreOffice Impress;/usr/share/icons/libreoffice-impress.png;libreoffice --impress
LibreOffice Math;/usr/share/icons/libreoffice-math.png;libreoffice --math
LibreOffice;/usr/share/icons/libreoffice-startcenter.png;libreoffice
LibreOffice Writer;/usr/share/icons/libreoffice-writer.png;libreoffice --writer
NoteCase notes manager;/usr/share/pixmaps/notecase.xpm;notecase
Osmo;/usr/share/icons/hicolor/48x48/apps/osmo.png;osmo
VLC media player;/usr/share/icons/hicolor/48x48/apps/vlc.png;/usr/bin/vlc
   ISO Master;/usr/share/isomaster/icons/isomaster.png;isomaster
Pburn CD/DVD/Blu-ray writer;/usr/share/xlunch/svgicons/pburn.png;pburn
PeasyDisc optical disc tools;/usr/share/pixmaps/midi-icons/optical48.png;peasydisc
ripperX CD song ripper;/usr/share/pixmaps/midi-icons/optical48.png;ripperX
Screencaster;/usr/share/pixmaps/midi-icons/camera48.png;screencast.sh
Pmount mount/unmount drives;/usr/share/pixmaps/midi-icons/floppy48.png;pmount
Reboot;/usr/share/pixmaps/midi-icons/connect48.png;wmexit reboot
Restart X;/usr/share/pixmaps/midi-icons/x.png;wmexit restart
Shutdown;/usr/share/pixmaps/midi-icons/shutdown48.png;wmexit shutdown
SeaMonkey Addressbook;/usr/share/pixmaps/contact48.png;seamonkey-spot -addressbook
SeaMonkey Composer html editor;/usr/share/pixmaps/mozicon48.png;seamonkey -edit
SeaMonkey mail;/usr/share/pixmaps/email48.png;seamonkey-spot -mail
Task Manager;/usr/share/pixmaps/midi-icons/system-monitor48.png;lxtask 
/root/conky.sh script to keep it alive (so restarts if the user does say ctrl-alt-X (close) on the 'desktop' (conky)

Code: Select all

#!/bin/sh
#
# Keep conky alive if ctrl-alt-x (cwm) close the 'desktop' (conky)
# /etc/conky/conky.conf should have background no setting
#
while : ; do
        conky -o 
        wait %1
done
I thought I added a xrdb -merge ~/.Xdefaults somewhere, but that may have been when I was running under user (I've since removed userid user and just run as root), can't recall if or where.

The /etc/ssh/sshd_config that I pulled in and edited from openbsd looks like

Code: Select all

#       $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $                                
                                                                                                      
# This is the sshd server system-wide configuration file.  See                                        
# sshd_config(5) for more information.                                                                
                                                                                                      
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin                                      
                                                                                                      
# The strategy used for options in the default sshd_config shipped with                               
# OpenSSH is to specify options with their default value where                                        
# possible, but leave them commented.  Uncommented options override the                               
# default value.                                                                                      
                                                                                                      
#Port 22                                                                                              
#AddressFamily any                                                                                    
#ListenAddress 0.0.0.0                                                                                
#ListenAddress ::                                                                                     
                                                                                                      
# The default requires explicit activation of protocol 1                                              
#Protocol 2                                                                                           
                                                                                                      
# HostKey for protocol version 1                                                                      
#HostKey /etc/ssh/ssh_host_key                                                                        
# HostKeys for protocol version 2                                                                     
#HostKey /etc/ssh/ssh_host_rsa_key                                                                    
#HostKey /etc/ssh/ssh_host_dsa_key                                                                    
#HostKey /etc/ssh/ssh_host_ecdsa_key                                                                  
#HostKey /etc/ssh/ssh_host_ed25519_key        
# Lifetime and size of ephemeral version 1 server key                                                 
#KeyRegenerationInterval 1h                                                                           
#ServerKeyBits 1024                                                                                   
                                                                                                      
# Ciphers and keying                                                                                  
#RekeyLimit default none                                                                              
                                                                                                      
# Logging                                                                                             
# obsoletes QuietMode and FascistLogging                                                              
#SyslogFacility AUTH                                                                                  
#LogLevel INFO                                                                                        
                                                                                                      
# Authentication:                                                                                     
                                                                                                      
#LoginGraceTime 2m                                                                                    
#PermitRootLogin prohibit-password                                                                    
#StrictModes yes                                                                                      
#MaxAuthTries 6                                                                                       
#MaxSessions 10                                                                                       
                                                                                                      
#RSAAuthentication yes                                                                                
#PubkeyAuthentication yes                                                                             
                                                                                                      
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2                         
# but this is overridden so installations will only check .ssh/authorized_keys                        
AuthorizedKeysFile      .ssh/authorized_keys
#AuthorizedPrincipalsFile none                                                                        
                                                                                                      
#AuthorizedKeysCommand none                                                                           
#AuthorizedKeysCommandUser nobody                                                                     
                                                                                                      
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts                           
#RhostsRSAAuthentication no                                                                           
# similar for protocol version 2                                                                      
#HostbasedAuthentication no                                                                           
# Change to yes if you don't trust ~/.ssh/known_hosts for                                             
# RhostsRSAAuthentication and HostbasedAuthentication                                                 
#IgnoreUserKnownHosts no                                                                              
# Don't read the user's ~/.rhosts and ~/.shosts files                                                 
#IgnoreRhosts yes                                                                                     
                                                                                                      
# To disable tunneled clear text passwords, change to no here!                                        
PasswordAuthentication no                                                                             
#PermitEmptyPasswords no                                                                              
                                                                                                      
# Change to no to disable s/key passwords                                                             
#ChallengeResponseAuthentication yes                                                                  
                                                                                                      
# Kerberos options                                                                                    
#KerberosAuthentication no                                                                            
#KerberosOrLocalPasswd yes                                                                            
#KerberosTicketCleanup yes                                                                            
#KerberosGetAFSToken no      
# GSSAPI options                                                                                      
#GSSAPIAuthentication no                                                                              
#GSSAPICleanupCredentials yes                                                                         
                                                                                                      
# Set this to 'yes' to enable PAM authentication, account processing,                                 
# and session processing. If this is enabled, PAM authentication will                                 
# be allowed through the ChallengeResponseAuthentication and                                          
# PasswordAuthentication.  Depending on your PAM configuration,                                       
# PAM authentication via ChallengeResponseAuthentication may bypass                                   
# the setting of "PermitRootLogin without-password".                                                  
# If you just want the PAM account and session checks to run without                                  
# PAM authentication, then enable this but set PasswordAuthentication                                 
# and ChallengeResponseAuthentication to 'no'.                                                        
#UsePAM no                                                                                            
                                                                                                      
#AllowAgentForwarding yes                                                                             
#AllowTcpForwarding yes                                                                               
#GatewayPorts no                                                                                      
#X11Forwarding no                                                                                     
#X11DisplayOffset 10                                                                                  
#X11UseLocalhost yes                                                                                  
#PermitTTY yes                                                                                        
#PrintMotd yes                                                                                        
#PrintLastLog yes                                                                                     
TCPKeepAlive yes                                                                                      
#UseLogin no                                                                                          
UsePrivilegeSeparation sandbox          # Default for new installations.                              
#PermitUserEnvironment no                                                                             
#Compression delayed 
ClientAliveInterval 60                                                                                
ClientAliveCountMax 10000                                                                             
#UseDNS no                                                                                            
#PidFile /var/run/sshd.pid                                                                            
#MaxStartups 10:30:100                                                                                
#PermitTunnel no                                                                                      
#ChrootDirectory none                                                                                 
#VersionAddendum none                                                                                 
                                                                                                      
# no default banner path                                                                              
#Banner none                                                                                          
                                                                                                      
# override default of no subsystems                                                                   
Subsystem       sftp    /usr/libexec/sftp-server                                                      
                                                                                                      
# Example of overriding settings on a per-user basis                                                  
#Match User anoncvs                                                                                   
#       X11Forwarding no                                                                              
#       AllowTcpForwarding no                                                                         
#       PermitTTY no                                                                                  
#       ForceCommand cvs server 
and I added

Code: Select all

ServerAliveInterval 120
to the end of /etc/ssh/ssh_config (not sure if that is required, but it was my attempts to stop the sshfs links dropping after a period of inactivity. sshd_config's TCPKeepAlive yes is also for that purpose).

So that my OpenBSD box can access FatDog I created ssh keys in OpenBSD using ssh-keygen under userid user, that creates ssh keys in /home/user/.ssh, and copied the public key over to Fatdog and added it to /root/.ssh/authorized_keys. So no password has to be entered when OpenBSD ssh's to Fatdog. That OpenBSD is behind a router so Fatdog can't even see the OpenBSD box. I have a script that runs on OpenBSD as part of default boot that just loops around and sshfs's to fatdog if it 'finds' it, or sleeps for a while before retrying again if its not found. I did consider using FatDog for that dataserver but had problems finding sftp-server for FatDog that the rsshfs script I use requires. https://github.com/rom1v/rsshfs I did consider reserve ssh'ing from OpenBSD into Fatdog and then running standard sshfs back through that ssh tunnel, but prefer rsshfs as the ssh tunnel is more closed and is less inclined to encrypt twice (more secure IMO as it uses local stdin piping). Also using userid user on OpenBSD does make it more secure if somehow that rsshfs tunnel could somehow be hacked i.e. they drop into user level and would have to privilege elevate on a system (OpenBSD) that is pretty secure and resilient to privilege elevations.

I've probably missed some, but I think that its pretty much it.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#374 Post by rufwoof »

In OpenBSD I have added to /etc/rc.local

Code: Select all

/home/user/fatdog-mount &
where that script contains ...

Code: Select all

#!/bin/sh
su - user /home/user/fatdog-mount-main &
while : ; do
  [ -f /home/user/Music/fatdog/shutdown ] && rm -f /home/user/Music/fatdog/shutdown && shutdown -p now
  [ -f /home/user/Music/fatdog/reboot ] && rm -f /home/user/Music/fatdog/reboot && shutdown -r now
  sleep 10
done
Which basically runs fatdog-mount-main as user and then sits there looking for either a shutdown or reboot file being added in the shared folder tree, and either reboots or shutsdown OpenBSD if/when that occurs. So I can 'remotely' control the OpenBSD box to some extent (I tend to only powerup the OBSD box when I need access to data).

The fatdog-mount-main script looks something like ...

Code: Select all

cd /home/user
while :; do
   while :; do
	ping -c 1 -w 4 192.168.1.4
	if [ $? -eq 0 ]; then
		sleep 60 # give it time, just in case its only just rebooted
		break
	else
		sleep 60
	fi
   done
   ./rsshfs /home/user/Music root@192.168.1.4:/root/acer
done
and fatdog-umount looks something like

Code: Select all

#!/bin/sh
./rsshfs -u user@192.168.1.4:/home/user/fatdog
They're not the latest copies as I've extended them to use domain names instead of hard coded IP addresses.

Some time back I created a ddns (dynamic domain name service) that associates a fixed domain name to a dynamic IP address. Basically involves something like adding a ddns-client that sends your current desktop IP address to their server, than then directs all traffic towards your domain name as provided by them to that IP address. So when using rsshfs with a domain name instead of a local IP address, conceptually that rsshfs should find you no matter where you might be provided you can ssh to that location/IP. Likely some locations would bar ssh at their firewall, but for anywhere that didn't your home data server would connect and mount your data folder at that location.

A alternative might be to use a proxy, a external system that both the data server and your remote/dynamic desktop IP might ssh into, and where that server joined the two (inbound from both merged into a single ssh tunnel in effect). That proxy could be another box alongside the Data server, but where unlike the data server it had ssh traffic being passed through its firewall. More exposed to potentially being hacked, but even if it was then it was still blocked from ssh into the data server.

Each/all of those could conceptually be Fatdog (given a sftp-server version for fatdog). Yes multiple separate machines/boxes, but in the present world boxes can be very small/low electrical power. PC on a USB stick type devices. Whilst you could conceptually combine the two data and proxy servers into a single box, its best to have physical separation IMO (two boxes). I use a physical router behind which my OpenBSD box sits (old netgear), the OpenBSD data box however could also be a combined router and data server to perform both functions.

And of course that could all be covered by a single FatDog ISO, just booted different ways according to whether it was being used as a desktop, data server or ssh proxy server, and doing so in a way that would only marginally expand the size of the ISO.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#375 Post by rufwoof »

As proof of concept, I reverse sshfs mounted a local data server folder (/DATA) onto another PC's local mount point (/data), and then sshfs mounted that /data folder from another PC as a local mount point ... and the contents were all accessible.

That does involve having to (in effect) ssh from the laptop/desktop to a ssh proxy server in order to have data locally mounted. The main data server however is only outbound (no ports forwarded), so even if the laptop and/or ssh server are breached, then there's still no access to the data server other than what folder content the data server has forwarded (excepting if some clever exploit can somehow drill through the reverse ssh).

Using ssh-keygen and keys based ssh between the laptop and ssh server could be problematic if the remote location was variable (traveling around). Perhaps revert to standard password based ssh access for that leg and have a procedure where the password is changed immediately after each login (server notifies the laptop of the new password via the ssh tunnel immediately after the ssh tunnel has been formed - or even via a mail/sms message).
Attachments
reverse-ssh-with-ssh-proxy.jpg
(70.3 KiB) Downloaded 349 times
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#376 Post by rufwoof »

Having used cwm, xlunch and skippy-xd for real activities quite intensively, whilst its nice/different there are some niggles i.e. its not as clean/pure as the standard Fatdog desktop. For instance when you reveal skippy-xd and middle mouse to close a window, it sometimes takes 2 clicks. In other cases the screen doesn't correctly repaint (or correctly show windows in skippy-xd i.e. not fully painted) ...etc. Nothing major, but clearly not clean and indicative of some bugs being present. Enough to make me revert back to the standard/default Fatdog desktop.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#377 Post by rufwoof »

Rather than having a Fatdog expanded to include rsshfs ...etc. perhaps it should be a separate version ... maybe just cli/tmux only that boots as a liveCD/mmc/sd-with-ro-toggled 'server' ... to act as a ssh proxy along with maybe http server, ftp server, web cam image server, puppy-phone ...etc type functions. Fundamentally not much more than busybox+ and in Fatdog just add the necessary parts to rsshfs to that.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#378 Post by rufwoof »

Changing rsshfs mounting to use data server user userid (on a box that is behind a firewall with no port forwarding/open ports), to my desktop Fatdog system - using spot userid ... i.e. mount data servers /DATA folder to /home/spot/data ... works fine (after ssh-keygen and creating a /home/spot/.ssh/authorized_keys with the data servers userid user public ssh key).

A usage problem however is that not even Fatdog root can see that /home/spot/data mounted folder content, you have to su spot and then run rox (or whatever) to view those files.

Noticed that spot can su (not particular good) into root so that's a present workaround, however more ideally spot should be more isolated, (no access to /dev/fb0, not able to su into root).

Local access however isn't that much of a issue i.e. Fatdog root rox not being able to view /home/spot/data (data servers content), as conceptually that would be for remote access to the data servers /DATA folder content. If Fatdog (desktop) has ssh port forwarded/open, then another remote Fatdog boot (laptop) could sshfs mount the home based desktop fatdogs /home/spot/data folder logging in as spot but using root ... which in turn is a mount point reflecting the data servers /DATA folder content.

i.e. assuming 'laptop' running fatdog is remote, 'desktop' running fatdog is at home, server (in my case running openbsd) is also at home, where 'desktop' has ssh port open, openbsd has ssh blocked - and where openbsd has reverse sshfs mounted its /DATA folder to 'desktop' /data folder, then the remote 'laptop' fatdog running as root can

Code: Select all

sshfs spot@IP-of-home-desktop-fatdog:/home/spot/data /DATA
and provided the ssh-keygen's are appropriately set that will have root on the 'laptop' seeing the openbsd's /DATA folder content. 'Desktop' fatdog has in effect become the ssh proxy server for (remote) 'laptop'. And in a manner where the userid's involved are less critical (restricted user on openbsd (data server), spot on 'desktop' (ssh proxy).

Desktop fatdog would need /etc/eztables.cfg settings of something like

Code: Select all

# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops 
# incoming connections from that host. Beyond a burst of 100 connections we 
# log at up 1 attempt per second to prevent filling of logs.
-N SSHBRUTE
-A SSHBRUTE -m recent --name SSH --set
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
-A SSHBRUTE -j ACCEPT

# Accept worldwide access to SSH and use SSHBRUTE chain for preventing 
# brute-force attacks.
-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
for remote ssh access to the desktop (why eztables isn't set as auto started in fatdog ??? i.e. you need to enable it at startup in fatdog control panel).

Open ssh server ports do tend to rapidly be blitzed with attack attempts, adding rules to drop repeated attempts from single IP's helps.

Another consideration to keep in mind is that file transfers over ssh aren't quick. Which can be further hampered by dual speed ISP services. My download speeds for instance are around a factor of 20 times quicker than upload speeds, 100Mb download, 5Mb upload type values IIRC. Which would mean a remote laptop system transferring files to/from the data server could see seemingly slow speeds for such transfers. For general use however, opening/saving documents etc. the speeds are generally acceptable.
Last edited by rufwoof on Sun 09 Sep 2018, 11:41, edited 3 times in total.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#379 Post by rufwoof »

Hmm! In Fatdog, su is a busybox login link. How can you restrict access to that from spot? I suspect busybox login should be removed and replaced with a 'proper' version/binary. Denying spot su would seem a wise security precaution/change.

EDIT : Ahh! Just discovered you can chmod go-wrx /bin/su that blocks spot from su'ing (brute force dictionary attacks to identify the root password).
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

fuguita openbsd livecd as a data server for fatdog

#380 Post by rufwoof »

Downloaded a OpenBSD Fuguita liveCD iso image from http://fuguita.org/index.php?FuguIta and burnt that to a DVD. As a alternative you could build your own.

The boot process is self explanatory, mostly requiring pressing Enter other than entering a domain name choice (I just used "cd"), localisation (I used "uk") and a root password (entered twice). Oh, and having to enter 0 to select the 'Normal boot' choice.

With Fatdog running on another PC (192.168.1.4 local LAN IP address), I adjusted that Fatdogs /etc/ssh/sshd_config to look like :

Code: Select all

PermitRootLogin yes
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication yes
TCPKeepAlive yes
UsePrivilegeSeparation sandbox	
ClientAliveInterval 60
ClientAliveCountMax 10000
Subsystem	sftp	/usr/libexec/sftp-server
(not sure about needing all of those I've just copied my current content as-is), and then use FatDog Control Panel, Manage Services to stop and restart sshd (so the changes come into effect).

I also made a folder /data to use as a mount point

Back on the Fuguita (OpenBSD) box, run ... (I put the code into a script with a #!/bin/sh first line, made the script executable and ran that)

Code: Select all

fifo=/tmp/rsshfs-$$
rm -f "$fifo"
mkfifo -m600 "$fifo" &&
    < "$fifo" /usr/libexec/sftp-server |
               ssh root@192.168.1.4 sshfs -o slave :/root /data '' > "$fifo"
rm "$fifo"
and that mounts /root on the Fuguita/OpenBSD box to /data on Fatdog (change the folders and root@root@192.168.1.4 as appropriate/needed). That will just sit there keeping the connection alive until you ctrl-c exit when the link will drop. If you put the script into the background then you can drop the link by running

Code: Select all

ssh 192.168.1.4 fusermount -u /data
or suchlike from the OpenBSD box.

Mounting stuff in OpenBSD typically involves running sysctl hw.disknames to get a clue about what name a local HDD might have, usually indicates something like sd0 or wd0. Having identified the name you can inspect how that disk is sliced/partitioned using disklabel wd0 (or whatever disk name identified earlier). For my OpenBSD HDD installed system for instance slice/partition k is where my user userid files are so I mounted that using mkdir mp;mount /dev/wd0k mp

For sd/mmc cards (or USB's) you can usually get the name using dmesg | grep mmc or suchlike and disklabel ... mount etc in a similar manner.

With the above setup you might opt to only mount rw devices to the OpenBSD box, which by default is secure. But then share (reverse sshfs mount) any of those folders to a Fatdog mountpoint, but where Fatdog can't ssh into the OpenBSD box. i.e. selectively pick which folders/data you potentially put at risk that Fatdog can use, and if a hacker gains remote control over Fatdog they are limited to what data they can see/damage. I ran the above using a Fatdog liveCD boot also.

Running liveCD's (ro media) with your data isolated/more secure, the likes of ransomware attacks have finite potential, especially if you keep regular backups of your fatdog shared folder(s) as copies in other OpenBSD folders - that aren't accessible to Fatdog. Would also be wise however to also periodically make/keep disconnected/off-site copies of those backups.

PS : If you do open up your main firewall/router to allow ssh access from the WAN to your home fatdog system (perhaps to sshfs mount your home fatdogs /data folder i.e. openbsd folder content), then don't forget to enable eztables (firewall) and perhaps add rules such as outlined in http://murga-linux.com/puppy/viewtopic. ... 27#1004027
Last edited by rufwoof on Sun 09 Sep 2018, 11:41, edited 1 time in total.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

Post Reply