Active Topics

 



Notices


Reply
Thread Tools
Posts: 61 | Thanked: 60 times | Joined on Jul 2007 @ Erlangen
#1
Hi,

I was asked on how this is done, so I thought i put some small guide on setting this up.

I'll use the term 'N900->' for commands run on the N900 and 'Laptop->' to indicated commands run on the computer you want to connect from to the N900.

I do not have the slightest idea how this would be done on a windows computer (last time i used one was 1999 , so this guide is assuming a linux OS on the computer. I'm pretty sure this can be done very similar on windows as well, I just have not the slightest bit experience there, so maybe someone else can add this information

To understand the public key authentication scheme I'll try to describe it briefly. First you create a pair of a private and a public key. These two keys are mathematically linked.
Now the private key resides on your local machine while the public key gets copied to systems that you want to connect to using ssh. Having this configured, you now don't send a password over the network but the public/private key pair is used to authenticate you.

You have the ability to encrypt the private key on your local system. In this case you still need to enter a pass phrase when logging in in, this however never leaves your system but only is used to make the private key accessible so the authentication using the public key from remote can succeed.

So what did I do to set it up (I have done this already some time ago, so some things i have to write out of my head, apologies for any mistakes and thanks for possible corrections)

0. Install ssh server

Create a password for the root user upon installation of the ssh server and remember it
Also note the ip address of the N900 so you can ssh into it to set everything up. You can do so as user by running
/sbin/ifconfig
in the X terminal. You should be connected to wlan - then there will be an ip address in the output you'll get


1. Create a private / public key pair

Do this on your laptop as the user on the laptop that you later want to be able to login to the N900.

Laptop-> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/someuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/someuser/.ssh/id_rsa.
Your public key has been saved in /home/someuser/.ssh/id_rsa.pub.
The key fingerprint is:
e8:a4:a5:81:1d:d6:81:51:8c:e2:98:73:01:e4:79:90 chuller@skaro
The key's randomart image is:
+--[ RSA 2048]----+
|o+. .*o |
|.E= o... |
| * +o . |
|+ ++ . . |
| o. o + S |
| B |
| o . |
| |
| |
+-----------------+


you can set a pass phrase to make the private key secure, however if left empty one gets the convenience of a password less login. I think it depends on how trusted and secure the laptop generally is you are working on.

Now you have two keys created in your home inside the directory .ssh:
id_rsa this is your secret key. It has to remain on you local computer. Make sure nobody can ever access it.
id_rsa.pub this is your public key. It will be copied to the remote systems that you want to ssh into.



2. Copying the public key to your N900:

Not sure what your preffered method would be, but now you have to copy the content of the public key into this file on your N900:

/home/user/.ssh/authorized_keys

I did it this way (149.44.171.3 is the ip address of my n900 at the time i write this):

Laptop-> scp ~/.ssh/id_rsa.pub root@149.44.171.3:/home/user/
Laptop-> ssh root@149.44.171.3

root@149.44.171.3's password:

Now enter the root password configured upon ssh installation and you will get logged into the n900. To add the public key to the list of authorized keys do the following:

root@N900-> su - user
user@N900-> cd ~/.ssh
user@N900-> cat ../id_rsa.pub >> authorized_keys
user@N900-> chmod 600 authorized_keys
user@N900-> ~/.ssh $ rm ../id_dsa.pub

rm: remove '../id_dsa.pub'? y
user@N900-> exit

Now the keys are in place and the public key based login is setup for ssh.


3. Next you have to enable the login for the user. One way is to set a password for him, or by editing /etc/passwd. The easy way is to simply set a password for the user:

3a. Setting password for the N900 user

root@N900-> passwd user
Changing password for user
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
New password:
Re-enter new password:
Password changed.


However, I prefer to not do so and just enable the login for the user by editing the /etc/passwd:

3b. ONLY DO THIS IF YOU KNOW HOW TO USE VI

Enabling user login by editing /etc/passwd (I strongly recommend to NOT do this until you know how to handle vi and what you generally are doing!!!):

N900-> vi /etc/passwd
now look for the line starting with 'user'
in that line, replace the '!' in that line by a '*'
In my case i changed the line
user:!:29999:29999::/home/user:/bin/sh
to
user:*:29999:29999::/home/user:/bin/sh

If you have set a password for the user already, instead of the "!", you will see the some characters, that is the encrypted password for the user. In this case replace the characters by an "*"

Also here you can remove the root password that was set before when installing ssh if you want to.

/ONLY DO THIS IF YOU KNOW HOW TO USE VI/

4. Test and disable password based logins

The test is pretty easy, just try as the user on the laptop you created the keys with (in the following command do not replae 'user' by anything, you actually want to become the user 'user' on the N900):

Laptop-> ssh user@149.44.171.3

If everything went well, you now get asked not for the users password but for the pass phrase set upon creating the key pair in the beginning. If you left that empty you now can login to the N900 without having to enter any password.

If this works, I recommend to disable the password based authentication on the device. Again, this step involves editing system files in the device as root, so if you are not sure about this, DO NOT DO IT or ask somebody who knows about such things to help you:

root@N900 -> vi /etc/ssh/sshd_config

Search for these lines:
# Change to no to disable tunnelled clear text passwords
# PasswordAuthentication yes


and change them to
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no


Save the file and then restart sshd:
root@N900-> /etc/init.d/ssh restart

Logout and try to login as root again. If all is right the output now will look like this:
N900-> ssh root@149.44.171.3
Permission denied (publickey).

Try to login as user@149.44.171.3 and it will still work, as you have the public key on the device.

Be aware that you now can only login as the user that created the key from the machine you created the key on. If you have more users or computers you would like to access the device with, you need to repeat the steps from above.
__________________
things we learned from movies
38) No matter how badly a spaceship is attacked, its internal gravity system is never damaged.

Last edited by greygoo; 2010-01-20 at 20:13.
 

The Following 21 Users Say Thank You to greygoo For This Useful Post:
SubCore's Avatar
Posts: 850 | Thanked: 626 times | Joined on Sep 2009 @ Vienna, Austria
#2
very nice howto, thanks for the work!

just one suggestion

this:
Originally Posted by greygoo View Post
user@N900-> if [ ! -e authorized_keys ]; then touch authorized_keys; fi
isn't really necessary, the file should be created automatically when piping into it.

this should be enough (order reversed for chmod):
user@N900-> cat ../id_rsa.pub >> authorized_keys
user@N900-> chmod 600 authorized_keys
__________________
"What we perceive is not nature itself, but nature exposed to our method of questioning."
-- Werner Karl Heisenberg
 

The Following User Says Thank You to SubCore For This Useful Post:
Posts: 61 | Thanked: 60 times | Joined on Jul 2007 @ Erlangen
#3
Originally Posted by SubCore View Post
very nice howto, thanks for the work!

just one suggestion

this:

isn't really necessary, the file should be created automatically when piping into it.

this should be enough (order reversed for chmod):
Right - i took the command out of an old script i have, removing the obsolete line
__________________
things we learned from movies
38) No matter how badly a spaceship is attacked, its internal gravity system is never damaged.
 
Posts: 28 | Thanked: 12 times | Joined on Jan 2010 @ germany
#4
For part 2, you can use ssh-copy-id

ssh-copy-id user@noknok_ip
it will ask for your password and do all the job


Also as you said, if you disable password authentication, well, from another machine, you wont' be able anymore to connect to copy your pub key.. chicken and egg problem.
 
jaeezzy's Avatar
Posts: 664 | Thanked: 160 times | Joined on Jul 2008 @ Australia
#5
@greygoo: thanks for this how-to. I would be very grateful if you could also write how-to on remotely accessing ssh server in a Debian(laptop/desktop) system from n900(ssh client) or remote ssh'ing between two n900s in different network if possible. thanks
 
Posts: 61 | Thanked: 60 times | Joined on Jul 2007 @ Erlangen
#6
Well, basically you only need to exchange 'laptop' and 'N900' in the guide and leave away step 3. When I sat it up the first time i accidently did it this way round, so identical commands can be used.
__________________
things we learned from movies
38) No matter how badly a spaceship is attacked, its internal gravity system is never damaged.
 
Posts: 138 | Thanked: 59 times | Joined on Jun 2007
#7
Thanks for the howto!

I followed your steps but when I try to login I get a message
Code:
Agent admitted failure to sign using the key.
and I have to enter the password manually. Terminal output doesn't tell much more either.

[EDIT]: Seems a reboot solved my problem.

Last edited by borghal; 2010-02-05 at 23:58.
 
Posts: 125 | Thanked: 108 times | Joined on Feb 2010
#8
I think such well written HOW-TOs should be collected into one dedicated thread in order to make finding them easier. Such a gem!
 
Posts: 67 | Thanked: 28 times | Joined on Oct 2009 @ Switzerland
#9
Originally Posted by rm53 View Post
I think such well written HOW-TOs should be collected into one dedicated thread in order to make finding them easier. Such a gem!
Or maybe in the wiki? At least, that's where I'd look for it.
 
Posts: 9 | Thanked: 8 times | Joined on Feb 2010
#10
There is also an easy way to connect to your n900 remotely when you have set everything up according to greygoo's howto. What you need is a fixed ip and a ssh server on your laptop's side. This might also work with some dyndns service, but I'm not sure of that, since I have never tested it with dyndns.

Just open a remote tunnel from your n900 to the server running on your laptop:

ssh -i yourkey -R localhost:3333:localhost:22 someuser@server.ip

The good part is that this tunnel works regardsless of the ip of n900 (that is: you don't have to know it) and the tunnel works well even over gprs connection.

to connect to n900 from your laptop:

ssh -p 3333 user@localhost

Now all that is left to do to be able to connect to your n900 when it is e.g. lost, is to set up a daemon to connect to the server periodically or to setup autossh (don't know if autossh is available for n900) to keep the tunnel open at all times.

Oh, I forgot to mention this:
Before you can use the reverse tunnel to connect to n900 without password (the -i yourkey part above) you need to create a keypair on the n900 and copy n900's public key to the laptop's authorized_keys file:

on n900 do:

ssh-keygen -t rsa

scp id_rsa.pub someuser@server.ip:./ssh/n900.pub

on the laptop do:

cd .ssh/

cat n900.pub >> authorized_keys

propelli

Last edited by propelli; 2010-02-21 at 18:23.
 
Reply

Tags
public key, ssh


 
Forum Jump


All times are GMT. The time now is 22:20.