Merge pull request #416 from cdg123/master

Created a new wiki article to explain setup of SSH using keys and no passwords
pull/419/head
Signor Pellegrino 2024-10-07 14:11:35 +03:00 committed by GitHub
commit b9f1f11563
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 142 additions and 30 deletions

View File

@ -105,6 +105,10 @@ For a camera with 16MB flash chip, run
sf probe 0; sf erase 0xd50000 0x2b0000; reset
```
### How to connect to camera with SSH using keys / no password
See seperate wiki page [here](en/sshusingkeys.md)
### How to find information about the camera hardware and software?
Sign in on camera via `ssh` and run `ipctool`.
@ -194,36 +198,6 @@ Make sure to use your own IP address and path to the NFS share!
strings dumpfile.bin | grep ^ethaddr
```
### How to configure ssh session authorization by key
__On the camera__: Sign in into web UI on port 85 of your camera.
```bash
passwd
```
__On the desktop__: Copy the public key to the camera by logging in with the
password created above.
```bash
ssh-copy-id root@192.168.1.66
```
__On the camera__: Create a `.ssh` folder in the root user's home directory
and copy the file with the authorized keystore into it.
```bash
mkdir ~/.ssh
cp /etc/dropbear/authorized_keys ~/.ssh/
```
__On the desktop__: Open a new session to verify that the authorization is
passed using the public key not requesting a password.
```bash
ssh root@192.168.1.66
```
### Majestic
#### How to get a memory dump for debugging?

138
en/sshusingkeys.md 100644
View File

@ -0,0 +1,138 @@
# OpenIPC Wiki
[Table of Content](../README.md)
SSH access using public key authentication
==========================================
## Introduction
OpenIPC uses a package called Dropbear for managing **S**ecure **SH**ell (SSH) client connections. By default this is configured to use the root username and associated password however it can be made both more secure and simpler by making it passwordless.
If you are new to understanding SSH and PKI then it is suggested you read the ssh guide [here](https://www.ssh.com/academy/ssh) for a full understanding however unless you need to debug why connections are failing or some other in depth issue then the basic understanding of the terms client, server and keys should be sufficient.
The term PKI is used to describe all of the elements used for creating a secure encrypted connection between two devices. These devices are referred to as clients or servers. In simple terms the target machine you are connecting to is the server and the host machine you are connecting from is the client.
To create a secure connection your client is setup with a 'private' key and each server you access is setup with a matching 'public' key. The public key is exchanged during the connection process and tested to make sure it matches with the private key.
Your private key is the only thing that can decrypt data that has been encoded with the matching public key hence why your private key must be safely guarded and the public key part is what we share.
In the initial connection phase there is also a check that the server is the correct device and so these identities are stored in a 'known_hosts' file.
There are many algorithms that have been implemented over the years to ensure connections are extremely hard to break into and so with modern computing power this has meant some of the earlier ones are no longer supported. Modern popular public key encryption standards include RSA (RivestShamirAdleman) and EdDSA (Edwards-curve Digital Signature Algorithm).
This article has been written on how to achieve this using the standard SSH clients included with most modern Linux and Windows distributions i.e. OpenSSH.
## OpenIPC camera with public key (most common setup)
For the most common configuration we first need to generate a key pair and securely get our key to the camera into the authorized_key file.
#### Step 1: connect to the camera
Establish a terminal connection to the camera using the traditional way with your current root password (as per the Majestic web login) e.g. ``` ssh root@<camera_ip_address> ```
#### Step 2: check there is a symlink to the dropbear files
When using SSH there are two key files, authorized_keys and known_hosts, which are expected to be found in the users home **.ssh** directory in both Windows and Linux systems.
As OpenIPC uses Dropbear, and not OpenSSH, these files are actually located in the cameras **/etc/dropbear** directory and so there is a link in the **root user home directory (/root)** that points to the required files and will look like this **.ssh -> /etc/dropbear/**.
If this is missing then it is critical to recreate it with the command **ln -s ~/.ssh /etc/dropbear**
Logout again from the camera.
#### Step 3: create a key pair
To create our private and public key pair we use **ssh-keygen**. This gives us options on what type of key to create and it is recommended you use either the RSA or EdDSA type with EdDSA being the newest and potentially will take longer to break than the older RSA format.
To create the key pair on your **client** machine open a terminal window enter ```ssh-keygen -t ed25519``` .
You will be prompted with a few questions, simply press enter to accept the defaults.
You should see an output similar to this.
```Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/<yourusername>/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/<yourusername>/.ssh/id_ed25519
Your public key has been saved in /home/<yourusername>/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:caaCz/2+eXiIbIPTkIo0/1+7njo8+7tHzaVVA4gworc <yourusername>@<yourmachinename>
The key's randomart image is:
+--[ED25519 256]--+
| . o. . ... |
| . . .. . ..|
| . . . o o|
| ... = o|
| .E..S o + |
| o ooo . + |
| . + .o*...+ |
| . o o Xoo++ |
| ..++X&O |
+----[SHA256]-----+
```
If using windows then you will see /users/<yourusername> instead of the Linux /home/xxx format.
#### Step 4: get the public key on the camera
So we now have a private key and the associated public key on our host machine and the challenge is how to securely get this onto our target, in this case our camera, and added to the authorized_keys file in the target .ssd folder.
Thankfully this has been thought of and there is a utility called ssh-copy-id which allows us to do that.
Enter the following substituting your camera ip address and username:
```
ssh-copy-id -i /home/<yourusername>/.ssh/id_ed25519 root@<camera_ip_address>
```
You should get the following
```ssh-copy-id -i /home/<yourusername>/.ssh/id_ed25519 root@<camera_ip_address>
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/<yourusername>/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@<yourcameraip>'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@<camera_ip_address>'"
and check to make sure that only the key(s) you wanted were added.
```
Now test it is working by trying to access the camera. You should find it will successfully login without asking for a password.
```~$ ssh root@<camera_ip_address>
.d88888b. 8888888 8888888b. .d8888b.
d88P" "Y88b 888 888 Y88b d88P Y88b
888 888 888 888 888 888 888
888 888 88888b. .d88b. 88888b. 888 888 d88P 888
888 888 888 "88b d8P Y8b 888 "88b 888 8888888P" 888
888 888 888 888 88888888 888 888 888 888 888 888
Y88b. .d88P 888 d88P Y8b. 888 888 888 888 Y88b d88P
"Y88888P" 88888P" "Y8888 888 888 8888888 888 "Y8888P"
888
888
888 local+build, 2024-10-04
Please help the OpenIPC Project to cover the cost of development and
long-term maintenance of what we believe is going to become a stable,
flexible Open IP Network Camera Framework for users worldwide.
Your contributions could help us to advance the development and keep
you updated on improvements and new features more regularly.
Please visit https://openipc.org/sponsor/ to learn more. Thank you.
root@openipc-hi3516ev300:~#
````
Now if you enter ```cd .ssh``` and ```ls -la``` you will see similar to the following
```
drwxr-xr-x 1 root root 0 Oct 4 14:54 .
drwxr-xr-x 1 root root 0 Oct 4 12:28 ..
-rw------- 1 root root 101 Oct 4 14:54 authorized_keys
-rw------- 1 root root 83 Oct 4 12:29 dropbear_ed25519_host_key
```
#### Step 4: Troubleshooting
There are few reasons why if you have followed the above that this will not work however the main issue faced is if for some reason the permissions are not correct on the .ssh folder and the files within it.
Ensure the .ssh folder has 700 permissions and the authorized_keys file 600 or similar in Windows, only your user and administrators have permission.
To get a clue how to resolve issues then when entering the ssh command add -vvv which gives verbose debug output and usually will highlight where things are failing.
#### Finally
Remember the private key should never be duplicated or moved.