Notices

I'm pretty sure it is because ssh'ing to localhost NEVER fails for me--even if an outside host tries to connect... which confirms that the daemon is running regardless of the wifi status (since it never leaves the local TCP/IP stack).

Would it be better to create a user account for ssh? Right now I just use the root account along with the password.

Also, can anyone point me to a good guide for generating and setting up certificates for extra security? (I've seen the ones on Ubuntu and such but the whole private/public key confuses me.. like which goes on which PC/tablet). I want the server to be my tablet (since I primarily use ssh for transffering files wirelessly).

ssh-keygen
ssh-copy-id

both are installed on the NIT.

final result should be a file: /home/user/.ssh/authorized_keys. the folder /home/user/.ssh/ should be chmod'ed 700 and the file /home/user/.ssh/authorized_keys should be chmod'ed 600.

As far as I know, it's not really set up to handle multiple users aside from 'root' and 'user', and I'm not sure I can see the point since all the interface and.. pretty much everything, assumes you're doing things as 'user'.. so even SD cards are owned to 'user' for example.

When you say 'certificates', do you mean ssh keys? (I always had it in my mind that a certificate was something set up no a third party server to act as a third vector in an authentication scheme.. maybe I didn't have that terminolgy right? Can anyone verify the usage of the term for me?)

As far as ssh keys go, it's technically more secure than using only password authentication over ssh, as I recall. Thsi is pretty easy to do but there are a lot of steps if you're new to it. Since I've done it routinely, in my mind it's as easy as 1) generate key pair 2) connect to the remote side 3) append my public key into the .ssh/authorized_keys file

Here's the details of how to do it, for the unexperienced in ssh keypairs:

On the side that is going to ssh out to the tablet, I'm assuming you have some kind of ssh command line client like OpenSSH, run the command:

ssh-keygen -t rsa

...to create an RSA style pair of key files (there's also dsa but RSA has more bits involved and so is more secure).

It will ask you for a filename to save the rsa key as. You can just hit enter to accept the standard default location and filename (usually your .ssh hidden directory). Take note of the path and name of the key, though. You will need it soon.

Then it will ask you to enter an optional password... you can enter one if you want that extra notch of extra security but it's not necessary nor much better. You can just hit ENTER twice to leave it empty.

Once that's completed, go to the path of your key and you should see a pair of keys (one is the key you generated--called a private key, the other is one that you can drop into remote systems you want to log into--called a public key).

NOTE: If you open the public key in a text editor and you should see a bunch of readable text along with a big block of garbled text in the middle. If you see this, you're on the right path!

Now, assuming your tablet as the IP address of 192.168.0.5 on your network and your public key file is named id_rsa.pub, from here you can just paste or type in this line (I'll explain what it does in a moment):

cat id_rsa.pub | ssh user@192.168.0.5 'cd /home/user; mkdir .ssh; chmod 700 .ssh;cd .ssh; cat >> authorized_keys; chmod 600 authorized_keys'

What I do here is first print the contents of the public key out--but not to the screen, the | symbol is a pipe which means I'm passing the stream of text to the next command--which is ssh. ssh remotely connects to the tablet and goes on to run the commands between the quotes. I tell the tablet side to go to the user's home as the working path ('cd /home/user', I preferred not to assume I'm already in the home). Then create a .ssh directory (if it already exists, it'll error--which is fine). Then set permissions correctly so SSH will work with the .ssh path (read and write ONLY for the 'user' account). Then I go into .ssh and I append (that's the >>) whatever is being piped to ssh (the public key) onto the end of an authorized_keys file--if the file doesn't already exist, it'll be created). Lastly, I set correct permissions on that file as well. Once that's all done, ssh will just end the session.

Now, you should be able to just 'ssh user@192.168.0.5' to get into your tablet and magically get a shell without being asked for your password.

Live and learn--I actually had never known about ssh-copy-id and did it manually each time. I guess I sort of still have to in some cases since I work with many flavors of UNIX for work (AIX, Solaris, etc.) and not everything runs OpenSSH as the SSH server and client.

Thanks for that info, though!!

Yeah I meant keys. I guess there's no point in setting up a user then. I'll just keep using root to login.

This may be obvious, but a downside of using a keypair is that anyone who finds or steals your tablet has access to your pc as well.

Ah true. Though would that only be if the PC were the server and not the tablet?

Ok I've gotten around to messing with this again. And I have several questions..

ssh-copy-id

What do I do with this command? The Ubuntu wiki says

"Assuming the remote Ubuntu computers you wish to use the keys for have running ssh daemons already, then locating your public portion of the key pair on those machines is quite simple. For example, if you'd like to begin using key-based logins as user username on a remote machine named host, and host is running sshd, and reachable by name on your network, simply use the ssh-copy-id command to properly locate your key:

ssh-copy-id -i ~/.ssh/id_rsa.pub username@host"

So username@host would be something like root@N800. Correct? But from where do I issue the command? My desktop/laptop (clients) or my tablet? (host?). And does this copy the ID onto whatever computer I need it on?


@danramos, I tried following your instructions though I didn't want to set an IP address. I'm going leave my desktop at home this year, and just bring my laptop with me to college so I'd need the ability to connect to it from my desktop or laptop depending on which network I am on. (at home, desktop. at college, my laptop).

And if I'm already logging into root via ssh, how would I switch it to the more secure key+ password? And how would this effect programs such as winscp or the Ubuntu Nautilus file manager?

Don't use root. Like I'd pointed out, you really should log in as root and change the root and user passwords.. then, from then on, log as as 'user'. ONLY log in as root if you intend to do something that needs root permission (apt-get, for example). Avoid running as root as much as you possibly can.

Not necessarily. If someone has stolen your tablet or if you suspect any kind of abuse, you can tell the ssh server on your laptop or desktop to regenerate private server-side keys so that anyone logging in needs new keys to connect to it.