You have just received your gift: a raspberry pi zero w. How lucky you are! The raspberry has a wifi chipset, Bluetooth and an HDMI output. There are also two micro-usb ports: one is for power via a micro-usb -> usb cable (not supplied), the other one can be used to connect a usb stick for extra storage, or a usb hub (not supplied) to be able to connect several usb devices including a keyboard and a mouse (not supplied). The raspberry comes with 16GB of disk space.
There are two modes of operation:
As first complementary reading, I would like to mention a page related to machine learning on the Raspberry pi zero: http://www.acgeospatial.co.uk/raspberry-pi-zero-processing-images/
As second complementary reading, I recommend the page related to
compiling GCC 10.2.1 (latest version of GCC as of April 1, 2021) on a
Raspberry: https://solarianprogrammer.com/2018/05/06/building-gcc-cross-compiler-raspberry-pi/.
To save time, I can pass you
an archive
to install the GCC distribution under /opt on the
raspberry pi zero w. Otherwise it will take 5 days to compile the GCC
sources!
Let's go back to the problems of the installation and secure access
to the raspberry pi zero w. To set up your device, read
the online
tutorial. You also need to configure the wifi, once the SD card
has been flashed. For that, open the
file /etc/wpa_supplicant/wpa_supplicant.conf, located
in the rootfs directory of you SD card, and give some
information about your access points. For editing you need to be
root. I'm guessing you are dealing with Linux. Here is an example
where I declared two wifi access points. The first one
with priority=1 is for my home network with the Orange
provider. The second one, with priority=2, is for my
Apple iPhone, as the access point:
pi@raspberrypi:~ $ sudo cat /etc/wpa_supplicant/wpa_supplicant.conf
country=FR
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="Livebox-ee94"
psk="xxxxxxxxxxxxx"
priority=1
}
network={
ssid="iPhoneDeChristophe"
psk="xxxxxxxxxx"
id_str="iPhoneDeChristophe"
priority=2
}
pi@raspberrypi:~ $
Then, please, reboot your Raspberry pi zero w. After that, to
connect to the device, you first run the command ssh-keygen -R
raspberrypi.local on your host computer (here my personal
MacBookPro). The command removes (-R hostname flag) all
keys belonging to hostname from the known_hosts
file. This is just for the purpose of cleaning. Note also that your
device is seen as the raspberry.local machine on your
local network. Second, we can connect to the device according to
an ssh command, and we can inspect our system as
with the listing that follows:
christophecerin@MacBook-Pro-de-Christophe ~ % ssh pi@raspberrypi.local pi@raspberrypi.local's password: --> default password: raspberry Linux raspberrypi 5.10.17+ #1403 Mon Feb 22 11:26:13 GMT 2021 armv6l The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Apr 5 13:00:07 2021 from fe80::c7d:9af5:dd86:fe9d%wlan0 SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. pi@raspberrypi:~ $ uname -a Linux raspberrypi 5.10.17+ #1403 Mon Feb 22 11:26:13 GMT 2021 armv6l GNU/Linux pi@raspberrypi:~ $ cat /proc/cpu cpu/ cpuinfo pi@raspberrypi:~ $ cat /proc/cpuinfo processor : 0 model name : ARMv6-compatible processor rev 7 (v6l) BogoMIPS : 697.95 Features : half thumb fastmult vfp edsp java tls CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xb76 CPU revision : 7 Hardware : BCM2835 Revision : 9000c1 Serial : 000000000f6f3e50 Model : Raspberry Pi Zero W Rev 1.1 pi@raspberrypi:~ $ cat /proc/version Linux version 5.10.17+ (dom@buildbot) (arm-linux-gnueabihf-gcc-8 (Ubuntu/Linaro 8.4.0-3ubuntu1) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #1403 Mon Feb 22 11:26:13 GMT 2021 pi@raspberrypi:~ $ gcc --version gcc (Raspbian 8.3.0-6+rpi1) 8.3.0 Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. pi@raspberrypi:~ $ python --version Python 2.7.16 pi@raspberrypi:~ $
Assuming that you have installed an OS with a window manager and
not the lite OS, you may want to install the latest Firefox browser
(but not the firefox esr browser). Please, follow the
instructions:
Open the sources.list file with nano: # sudo nano /etc/apt/sources.list At the bottom of the file, add: deb http://ports.ubuntu.com/ubuntu-ports bionic-updates main save and quit (CTRL+O, CTRL+X) add the key of the repository: # sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32 Before continuing, it is necessary to modify the preferences, in order to avoid conflicts between the Raspberry Pi OS and Ubuntu versions: open the following file: # sudo nano /etc/apt/preferences.d/99bionic-updates paste the following lines: Package: * Pin: release a=bionic-updates Pin-Priority: 1 save and quit (CTRL+O, CTRL+X) you can now update the raspberry and install firefox # sudo apt update # sudo apt install firefox
If you need to watch videos from Netflix and Youtube, you need to install a dedicated version of the Chromium browser, namely Chromium Widevine. Please, follow this tutorial. The "normal" Chromium or Firefox browsers do not contain all the necessary drivers to watch videos from Netflix or Youtube: you get no sounds with them.
According to Wikipedia Public-key cryptography, or asymmetric cryptography, is a cryptographic system which uses pairs of keys: public keys (which may be known to others), and private keys (which may never be known by any except the owner). The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way functions. Effective security requires keeping the private key private; the public key can be openly distributed without compromising security. The technique is used in a way that any person can encrypt a message using the intended receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.
With public-key cryptography, robust authentication is also possible. A sender can combine a message with a private key to create a short digital signature on the message. Anyone with the sender's corresponding public key can combine that message with a claimed digital signature; if the signature matches the message, the origin of the message is verified (i.e., it must have been made by the owner of the corresponding private key).
The authentication process is depicted on Figure 1, where the SSH client represents the sender i.e., your computer, and where the SSH server represents the distant machine i.e., the raspberry pi zero w in our case. Step 3 on Figure 1 corresponds to the verification that the signature matches the short message i.e. the origin of the message is verified i.e., the machine is what it claims to be.
ssh-keygen?Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.
The SSH protocol uses public key cryptography for authenticating hosts and users. The authentication keys, called SSH keys, are created using the keygen program.
SSH introduced public key authentication as a more secure alternative to the older .rhosts authentication. It improved security by avoiding the need to have password stored in files, and eliminated the possibility of a compromised server stealing the user's password.
However, SSH keys are authentication credentials just like passwords. Thus, they must be managed somewhat analogously to user names and passwords. They should have a proper termination process so that keys are removed when no longer needed.
The simplest way to generate a key pair is to run ssh-keygen without arguments. In this case, it will prompt for the file in which to store keys. Here's an example:
~>ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/ylo/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ylo/.ssh/id_rsa. Your public key has been saved in /home/ylo/.ssh/id_rsa.pub. The key fingerprint is: SHA256:Up6KjbnEV4Hgfo75YM393QdQsK3Z0aTNBz0DoirrW+c ylo@klar The key's randomart image is: +---[RSA 2048]----+ | . ..oo..| | . . . . .o.X.| | . . o. ..+ B| | . o.o .+ ..| | ..o.S o.. | | . %o= . | | @.B... . | | o.=. o. . . .| | .oo E. . .. | +----[SHA256]-----+ ~>
First, the tool asked where to save the file. SSH keys for user authentication are usually stored in the user's .ssh directory under the home directory. However, in enterprise environments, the location is often different. The default key file name depends on the algorithm, in this case id_rsa when using the default RSA algorithm. It could also be, for example, id_dsa or id_ecdsa.
Then it asks to enter a passphrase. The passphrase is used for encrypting the key, so that it cannot be used even if someone obtains the private key file. The passphrase should be cryptographically strong.
SSH supports several public key algorithms for authentication keys. These include:
rsa - an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
dsa - an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended.
ecdsa - a new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.
ed25519 - this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.
The algorithm is selected using the -t option and key size using the -b option. The following commands illustrate:
ssh-keygen -t rsa -b 4096 ssh-keygen -t dsa ssh-keygen -t ecdsa -b 521 ssh-keygen -t ed25519
Normally, the tool prompts for the file in which to store the key. However, it can also be specified on the command line using the -f <filename> option.
ssh-keygen -f ~/tatu-key-ecdsa -t ecdsa -b 521
To use public key authentication, the public key must be copied to a server and installed in an authorized_keys file. This can be conveniently done using the ssh-copy-id tool. Like this:
ssh-copy-id -i ~/.ssh/tatu-key-ecdsa user@host
Once the public key has been configured on the server, the server will allow any connecting user that has the private key to log in. During the login process, the client proves possession of the private key by digitally signing the key exchange.
To avoid typing the password every time the raspberry requests a ssh connection we will create a key pair and copy the public key to the raspberry. We proceed as follows on the client machine:
christophecerin@MBPdeChristophe .ssh % ssh-keygen -t rsa -b 4096 -C "christophe.cerin@univ-paris13.fr" Generating public/private rsa key pair. Enter file in which to save the key (/Users/christophecerin/.ssh/id_rsa): /Users/christophecerin/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/christophecerin/.ssh/id_rsa. Your public key has been saved in /Users/christophecerin/.ssh/id_rsa.pub. The key fingerprint is: SHA256:ciKOsfp0lxEOJiRsorRFeljdUJ+ECaY3zaGt8z2Ozjs christophe.cerin@univ-paris13.fr The key's randomart image is: +---[RSA 4096]----+ |o oo.+=oo. | |.*+.o.=++ . | |=o+oo+.+ o | |...o.oo. | | . .o= S | | = .o*. | | + o o. o | | o . ..Eo . | |... .=o. | +----[SHA256]-----+ christophecerin@MBPdeChristophe .ssh % ssh-copy-id pi@raspberrypi.local /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/christophecerin/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys pi@raspberrypi.local's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'pi@raspberrypi.local'" and check to make sure that only the key(s) you wanted were added. christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local' @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for '/Users/christophecerin/.ssh/id_rsa' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "/Users/christophecerin/.ssh/id_rsa": bad permissions pi@raspberrypi.local's password: Linux raspberrypi 5.10.17+ #1403 Mon Feb 22 11:26:13 GMT 2021 armv6l The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Apr 5 16:58:32 2021 from fe80::c7d:9af5:dd86:fe9d%wlan0 SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. pi@raspberrypi:~ $ exit logout Connection to raspberrypi.local closed. christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local' @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for '/Users/christophecerin/.ssh/id_rsa' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "/Users/christophecerin/.ssh/id_rsa": bad permissions pi@raspberrypi.local's password: christophecerin@MBPdeChristophe .ssh % ll total 152 drwxr-xr-x 12 christophecerin staff 384 5 avr 18:02 . drwxr-xr-x+ 376 christophecerin staff 12032 5 avr 15:52 .. -rw-r--r-- 1 christophecerin staff 63 11 jan 2014 config -rw-r--r-- 1 christophecerin staff 1679 29 oct 2018 ensit -rw-r--r-- 1 christophecerin staff 429 29 oct 2018 ensit.pub -rw-r--r-- 1 christophecerin staff 3401 5 avr 18:01 id_rsa -rw-r--r-- 1 christophecerin staff 758 5 avr 18:01 id_rsa.pub -rw------- 1 christophecerin staff 13818 5 avr 14:00 known_hosts -rw-r--r-- 1 christophecerin staff 13438 16 déc 11:06 known_hosts.old -rw------- 1 christophecerin staff 13654 16 mar 10:00 known_hosts~ -rw------- 1 christophecerin staff 3478 5 avr 15:48 sraspberry_id_rsa -rw-r--r-- 1 christophecerin staff 773 5 avr 15:48 sraspberry_id_rsa.pub christophecerin@MBPdeChristophe .ssh % chmod 600 id_rsa id_rsa.pub christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local' Linux raspberrypi 5.10.17+ #1403 Mon Feb 22 11:26:13 GMT 2021 armv6l The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Apr 5 17:03:08 2021 from fe80::c7d:9af5:dd86:fe9d%wlan0 SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. pi@raspberrypi:~ $
We notice that, in the first step, we need the password. This is due to an access mode for id_rsa and id_rsa.pub files on the client machine (MacBook-pro). We changed the rights to 600, and then, it works!
Since, it works, we can send remote commands from the client
(MacBook-Pro) to the server (raspberry pi zero w) with
ssh and like this:
christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local' 'df -H' Filesystem Size Used Avail Use% Mounted on /dev/root 16G 2.2G 13G 15% / devtmpfs 192M 0 192M 0% /dev tmpfs 226M 0 226M 0% /dev/shm tmpfs 226M 3.2M 223M 2% /run tmpfs 5.3M 0 5.3M 0% /run/lock tmpfs 226M 0 226M 0% /sys/fs/cgroup /dev/mmcblk0p1 265M 51M 214M 20% /boot tmpfs 46M 0 46M 0% /run/user/1000 christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local' 'python -c "print 123456789 * 987654321"' 121932631112635269 christophecerin@MBPdeChristophe .ssh %
You can also keep the returned value in a variable, and play with the variable as follows:
christophecerin@MBPdeChristophe .ssh % i=`ssh 'pi@raspberrypi.local' 'python -c "print 123456789 * 987654321"'` christophecerin@MBPdeChristophe .ssh % echo $((i+1)) 121932631112635270
Note: it is also possible to forward X (graphical applications running on the server) over SSH to display graphics applications remotely on the client. See this POST.
ssh-agent is a program that can hold a user's private key, so that the private key passphrase only needs to be supplied once. A connection to the agent can also be forwarded when logging into a server, allowing SSH commands on the server to use the agent running on the user's desktop.
The tool is also used for creating host authentication keys. Host keys are stored in the /etc/ssh/ directory.
Host keys are just ordinary SSH key pairs. Each host can have one host key for each algorithm. The host keys are almost always stored in the following files:
/etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key
The host keys are usually automatically generated when an SSH server is installed. They can be regenerated at any time. However, if host keys are changed, clients may warn about changed keys. Changed keys are also reported when someone tries to perform a man-in-the-middle attack. Thus it is not advisable to train your users to blindly accept them. Changing the keys is thus either best done using an SSH key management tool that also changes them on clients, or using certificates.
OpenSSH does not support X.509 certificates. X.509 certificates are widely used in larger organizations for making it easy to change host keys on a period basis while avoiding unnecessary warnings from clients. They also allow using strict host key checking, which means that the clients will outright refuse a connection if the host key has changed.
It is easy to create and configure new SSH keys. In the default configuration, OpenSSH allows any user to configure new keys. The keys are permanent access credentials that remain valid even after the user's account has been deleted.
In organizations with more than a few dozen users, SSH keys easily accumulate on servers and service accounts over the years. We have seen enterprises with several million keys granting access to their production servers. It only takes one leaked, stolen, or misconfigured key to gain access.
In any larger organization, use of SSH key management solutions is almost necessary. SSH keys should also be moved to root-owned locations with proper provisioning and termination processes.
Practically all cybersecurity regulatory frameworks require managing who can access what. SSH keys grant access, and fall under this requirement. This, organizations under compliance mandates are required to implement proper management processes for the keys.
The full version of this tutorial is avalaible oline at https://www.ssh.com/ssh/keygen/.
With your AWS account, you will be able to find a PDF document entitled "Security, Networking, and Internet: Access Denied". The document contains many practical works for you. Please, send me back your home work.
Copyright: christophe.cerin@univ-paris13.fr - April 1, 2021.