Security: authentication and more!

Configure and play with the raspberry pi zero w

You have just received your gift: a raspberry pi zero w. How lucky you are! The raspberry has a wifi chipset, Bluetooth and an HDMI output. There are also two micro-usb ports: one is for power via a micro-usb -> usb cable (not supplied), the other one can be used to connect a usb stick for extra storage, or a usb hub (not supplied) to be able to connect several usb devices including a keyboard and a mouse (not supplied). The raspberry comes with 16GB of disk space.

There are two modes of operation:

As first complementary reading, I would like to mention a page related to machine learning on the Raspberry pi zero: http://www.acgeospatial.co.uk/raspberry-pi-zero-processing-images/

As second complementary reading, I recommend the page related to compiling GCC 10.2.1 (latest version of GCC as of April 1, 2021) on a Raspberry: https://solarianprogrammer.com/2018/05/06/building-gcc-cross-compiler-raspberry-pi/. To save time, I can pass you an archive to install the GCC distribution under /opt on the raspberry pi zero w. Otherwise it will take 5 days to compile the GCC sources!

Let's go back to the problems of the installation and secure access to the raspberry pi zero w. To set up your device, read the online tutorial. You also need to configure the wifi, once the SD card has been flashed. For that, open the file /etc/wpa_supplicant/wpa_supplicant.conf, located in the rootfs directory of you SD card, and give some information about your access points. For editing you need to be root. I'm guessing you are dealing with Linux. Here is an example where I declared two wifi access points. The first one with priority=1 is for my home network with the Orange provider. The second one, with priority=2, is for my Apple iPhone, as the access point:

  pi@raspberrypi:~ $ sudo cat /etc/wpa_supplicant/wpa_supplicant.conf
  country=FR
  ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
  update_config=1

  network={
      ssid="Livebox-ee94"
      psk="xxxxxxxxxxxxx"
      priority=1
  }

  network={
      ssid="iPhoneDeChristophe"
      psk="xxxxxxxxxx"
      id_str="iPhoneDeChristophe"
      priority=2
  }
  pi@raspberrypi:~ $

Then, please, reboot your Raspberry pi zero w. After that, to connect to the device, you first run the command ssh-keygen -R raspberrypi.local on your host computer (here my personal MacBookPro). The command removes (-R hostname flag) all keys belonging to hostname from the known_hosts file. This is just for the purpose of cleaning. Note also that your device is seen as the raspberry.local machine on your local network. Second, we can connect to the device according to an ssh command, and we can inspect our system as with the listing that follows:

christophecerin@MacBook-Pro-de-Christophe ~ % ssh pi@raspberrypi.local
pi@raspberrypi.local's password:       --> default password: raspberry 
Linux raspberrypi 5.10.17+ #1403 Mon Feb 22 11:26:13 GMT 2021 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr  5 13:00:07 2021 from fe80::c7d:9af5:dd86:fe9d%wlan0

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $ uname -a
Linux raspberrypi 5.10.17+ #1403 Mon Feb 22 11:26:13 GMT 2021 armv6l GNU/Linux
pi@raspberrypi:~ $ cat /proc/cpu
cpu/     cpuinfo  
pi@raspberrypi:~ $ cat /proc/cpuinfo 
processor	: 0
model name	: ARMv6-compatible processor rev 7 (v6l)
BogoMIPS	: 697.95
Features	: half thumb fastmult vfp edsp java tls 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xb76
CPU revision	: 7

Hardware	: BCM2835
Revision	: 9000c1
Serial		: 000000000f6f3e50
Model		: Raspberry Pi Zero W Rev 1.1
pi@raspberrypi:~ $ cat /proc/version 
Linux version 5.10.17+ (dom@buildbot) (arm-linux-gnueabihf-gcc-8 (Ubuntu/Linaro 8.4.0-3ubuntu1) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #1403 Mon Feb 22 11:26:13 GMT 2021
pi@raspberrypi:~ $ gcc --version
gcc (Raspbian 8.3.0-6+rpi1) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

pi@raspberrypi:~ $ python --version
Python 2.7.16
pi@raspberrypi:~ $

Installation of Web browsers

Assuming that you have installed an OS with a window manager and not the lite OS, you may want to install the latest Firefox browser (but not the firefox esr browser). Please, follow the instructions:

  Open the sources.list file with nano:
  # sudo nano /etc/apt/sources.list
  At the bottom of the file, add:
  deb http://ports.ubuntu.com/ubuntu-ports bionic-updates main
  save and quit (CTRL+O, CTRL+X)
  add the key of the repository:
  # sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
  Before continuing, it is necessary to modify the preferences,
  in order to avoid conflicts between the Raspberry Pi OS and Ubuntu versions:
  open the following file:
  # sudo nano /etc/apt/preferences.d/99bionic-updates
  paste the following lines:
  Package: *
  Pin: release a=bionic-updates
  Pin-Priority: 1
  
  save and quit (CTRL+O, CTRL+X)
  you can now update the raspberry and install firefox
  # sudo apt update
  # sudo apt install firefox

If you need to watch videos from Netflix and Youtube, you need to install a dedicated version of the Chromium browser, namely Chromium Widevine. Please, follow this tutorial. The "normal" Chromium or Firefox browsers do not contain all the necessary drivers to watch videos from Netflix or Youtube: you get no sounds with them.

Basic of SSH (Secure Shell)

Public-key cryptography

According to Wikipedia Public-key cryptography, or asymmetric cryptography, is a cryptographic system which uses pairs of keys: public keys (which may be known to others), and private keys (which may never be known by any except the owner). The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way functions. Effective security requires keeping the private key private; the public key can be openly distributed without compromising security. The technique is used in a way that any person can encrypt a message using the intended receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.

With public-key cryptography, robust authentication is also possible. A sender can combine a message with a private key to create a short digital signature on the message. Anyone with the sender's corresponding public key can combine that message with a claimed digital signature; if the signature matches the message, the origin of the message is verified (i.e., it must have been made by the owner of the corresponding private key).

The authentication process is depicted on Figure 1, where the SSH client represents the sender i.e., your computer, and where the SSH server represents the distant machine i.e., the raspberry pi zero w in our case. Step 3 on Figure 1 corresponds to the verification that the signature matches the short message i.e. the origin of the message is verified i.e., the machine is what it claims to be.

authentication
Figure 1: Authentication process (simplified protocol diagram)

What Is ssh-keygen?

Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.

The SSH protocol uses public key cryptography for authenticating hosts and users. The authentication keys, called SSH keys, are created using the keygen program.

SSH introduced public key authentication as a more secure alternative to the older .rhosts authentication. It improved security by avoiding the need to have password stored in files, and eliminated the possibility of a compromised server stealing the user's password.

However, SSH keys are authentication credentials just like passwords. Thus, they must be managed somewhat analogously to user names and passwords. They should have a proper termination process so that keys are removed when no longer needed.

Creating an SSH Key Pair for User Authentication

The simplest way to generate a key pair is to run ssh-keygen without arguments. In this case, it will prompt for the file in which to store keys. Here's an example:

~>ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ylo/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ylo/.ssh/id_rsa.
Your public key has been saved in /home/ylo/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Up6KjbnEV4Hgfo75YM393QdQsK3Z0aTNBz0DoirrW+c ylo@klar
The key's randomart image is:
+---[RSA 2048]----+
|    .      ..oo..|
|   . . .  . .o.X.|
|    . . o.  ..+ B|
|   .   o.o  .+ ..|
|    ..o.S   o..  |
|   . %o=      .  |
|    @.B...     . |
|   o.=. o. . .  .|
|    .oo  E. . .. |
+----[SHA256]-----+
~>

First, the tool asked where to save the file. SSH keys for user authentication are usually stored in the user's .ssh directory under the home directory. However, in enterprise environments, the location is often different. The default key file name depends on the algorithm, in this case id_rsa when using the default RSA algorithm. It could also be, for example, id_dsa or id_ecdsa.

Then it asks to enter a passphrase. The passphrase is used for encrypting the key, so that it cannot be used even if someone obtains the private key file. The passphrase should be cryptographically strong.

Choosing an Algorithm and Key Size

SSH supports several public key algorithms for authentication keys. These include:

The algorithm is selected using the -t option and key size using the -b option. The following commands illustrate:

ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519

Specifying the File Name

Normally, the tool prompts for the file in which to store the key. However, it can also be specified on the command line using the -f <filename> option.

ssh-keygen -f ~/tatu-key-ecdsa -t ecdsa -b 521

Copying the Public Key to the Server

To use public key authentication, the public key must be copied to a server and installed in an authorized_keys file. This can be conveniently done using the ssh-copy-id tool. Like this:

ssh-copy-id -i ~/.ssh/tatu-key-ecdsa user@host

Once the public key has been configured on the server, the server will allow any connecting user that has the private key to log in. During the login process, the client proves possession of the private key by digitally signing the key exchange.

Practical work for the raspberry pi zero w

To avoid typing the password every time the raspberry requests a ssh connection we will create a key pair and copy the public key to the raspberry. We proceed as follows on the client machine:

christophecerin@MBPdeChristophe .ssh % ssh-keygen -t rsa -b 4096 -C "christophe.cerin@univ-paris13.fr"
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/christophecerin/.ssh/id_rsa): 
/Users/christophecerin/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/christophecerin/.ssh/id_rsa.
Your public key has been saved in /Users/christophecerin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ciKOsfp0lxEOJiRsorRFeljdUJ+ECaY3zaGt8z2Ozjs christophe.cerin@univ-paris13.fr
The key's randomart image is:
+---[RSA 4096]----+
|o oo.+=oo.       |
|.*+.o.=++ .      |
|=o+oo+.+ o       |
|...o.oo.         |
|  . .o= S        |
|   = .o*.        |
|  + o o. o       |
| o . ..Eo .      |
|...   .=o.       |
+----[SHA256]-----+
christophecerin@MBPdeChristophe .ssh % ssh-copy-id  pi@raspberrypi.local
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/christophecerin/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
pi@raspberrypi.local's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'pi@raspberrypi.local'"
and check to make sure that only the key(s) you wanted were added.

christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local'
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/christophecerin/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/Users/christophecerin/.ssh/id_rsa": bad permissions
pi@raspberrypi.local's password: 
Linux raspberrypi 5.10.17+ #1403 Mon Feb 22 11:26:13 GMT 2021 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr  5 16:58:32 2021 from fe80::c7d:9af5:dd86:fe9d%wlan0

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $ exit
logout
Connection to raspberrypi.local closed.
christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local'
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/christophecerin/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/Users/christophecerin/.ssh/id_rsa": bad permissions
pi@raspberrypi.local's password: 

christophecerin@MBPdeChristophe .ssh % ll 
total 152
drwxr-xr-x   12 christophecerin  staff    384  5 avr 18:02 .
drwxr-xr-x+ 376 christophecerin  staff  12032  5 avr 15:52 ..
-rw-r--r--    1 christophecerin  staff     63 11 jan  2014 config
-rw-r--r--    1 christophecerin  staff   1679 29 oct  2018 ensit
-rw-r--r--    1 christophecerin  staff    429 29 oct  2018 ensit.pub
-rw-r--r--    1 christophecerin  staff   3401  5 avr 18:01 id_rsa
-rw-r--r--    1 christophecerin  staff    758  5 avr 18:01 id_rsa.pub
-rw-------    1 christophecerin  staff  13818  5 avr 14:00 known_hosts
-rw-r--r--    1 christophecerin  staff  13438 16 déc 11:06 known_hosts.old
-rw-------    1 christophecerin  staff  13654 16 mar 10:00 known_hosts~
-rw-------    1 christophecerin  staff   3478  5 avr 15:48 sraspberry_id_rsa
-rw-r--r--    1 christophecerin  staff    773  5 avr 15:48 sraspberry_id_rsa.pub
christophecerin@MBPdeChristophe .ssh % chmod 600 id_rsa id_rsa.pub
christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local' 
Linux raspberrypi 5.10.17+ #1403 Mon Feb 22 11:26:13 GMT 2021 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr  5 17:03:08 2021 from fe80::c7d:9af5:dd86:fe9d%wlan0

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $ 

We notice that, in the first step, we need the password. This is due to an access mode for id_rsa and id_rsa.pub files on the client machine (MacBook-pro). We changed the rights to 600, and then, it works!

Since, it works, we can send remote commands from the client (MacBook-Pro) to the server (raspberry pi zero w) with ssh and like this:

christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local' 'df -H'                 
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        16G  2.2G   13G  15% /
devtmpfs        192M     0  192M   0% /dev
tmpfs           226M     0  226M   0% /dev/shm
tmpfs           226M  3.2M  223M   2% /run
tmpfs           5.3M     0  5.3M   0% /run/lock
tmpfs           226M     0  226M   0% /sys/fs/cgroup
/dev/mmcblk0p1  265M   51M  214M  20% /boot
tmpfs            46M     0   46M   0% /run/user/1000
christophecerin@MBPdeChristophe .ssh % ssh 'pi@raspberrypi.local' 'python -c "print 123456789 * 987654321"'
121932631112635269
christophecerin@MBPdeChristophe .ssh % 

You can also keep the returned value in a variable, and play with the variable as follows:

christophecerin@MBPdeChristophe .ssh % i=`ssh 'pi@raspberrypi.local' 'python -c "print 123456789 * 987654321"'`
christophecerin@MBPdeChristophe .ssh % echo $((i+1))
121932631112635270

Note: it is also possible to forward X (graphical applications running on the server) over SSH to display graphics applications remotely on the client. See this POST.

Adding the Key to SSH Agent

ssh-agent is a program that can hold a user's private key, so that the private key passphrase only needs to be supplied once. A connection to the agent can also be forwarded when logging into a server, allowing SSH commands on the server to use the agent running on the user's desktop.

Creating Host Keys

The tool is also used for creating host authentication keys. Host keys are stored in the /etc/ssh/ directory.

Host keys are just ordinary SSH key pairs. Each host can have one host key for each algorithm. The host keys are almost always stored in the following files:

/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_rsa_key

The host keys are usually automatically generated when an SSH server is installed. They can be regenerated at any time. However, if host keys are changed, clients may warn about changed keys. Changed keys are also reported when someone tries to perform a man-in-the-middle attack. Thus it is not advisable to train your users to blindly accept them. Changing the keys is thus either best done using an SSH key management tool that also changes them on clients, or using certificates.

Using X.509 Certificates for Host Authentication

OpenSSH does not support X.509 certificates. X.509 certificates are widely used in larger organizations for making it easy to change host keys on a period basis while avoiding unnecessary warnings from clients. They also allow using strict host key checking, which means that the clients will outright refuse a connection if the host key has changed.

Key Management Requires Attention

It is easy to create and configure new SSH keys. In the default configuration, OpenSSH allows any user to configure new keys. The keys are permanent access credentials that remain valid even after the user's account has been deleted.

In organizations with more than a few dozen users, SSH keys easily accumulate on servers and service accounts over the years. We have seen enterprises with several million keys granting access to their production servers. It only takes one leaked, stolen, or misconfigured key to gain access.

In any larger organization, use of SSH key management solutions is almost necessary. SSH keys should also be moved to root-owned locations with proper provisioning and termination processes.

Practically all cybersecurity regulatory frameworks require managing who can access what. SSH keys grant access, and fall under this requirement. This, organizations under compliance mandates are required to implement proper management processes for the keys.

The full version of this tutorial is avalaible oline at https://www.ssh.com/ssh/keygen/.

AWS Educate

With your AWS account, you will be able to find a PDF document entitled "Security, Networking, and Internet: Access Denied". The document contains many practical works for you. Please, send me back your home work.

Copyright: christophe.cerin@univ-paris13.fr - April 1, 2021.