aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBryan Newbold <bnewbold@archive.org>2019-08-14 15:32:26 -0700
committerBryan Newbold <bnewbold@archive.org>2019-08-14 15:32:26 -0700
commitcf8bc7d7cec5dde44f422d5abfe051fa4dafeb3f (patch)
tree4ac3ed5b10ea60333ad6633d22b4b088b0d142ed
parent05ad577e5b65c825fdb7c6e86715208f9aa6365a (diff)
downloadia-onion-service-cf8bc7d7cec5dde44f422d5abfe051fa4dafeb3f.tar.gz
ia-onion-service-cf8bc7d7cec5dde44f422d5abfe051fa4dafeb3f.zip
update/iterate
-rw-r--r--README.md2
-rw-r--r--admin_log.md17
-rw-r--r--device_setup.md92
-rw-r--r--prototyping.md46
4 files changed, 145 insertions, 12 deletions
diff --git a/README.md b/README.md
index 21a4ebc..33dceb7 100644
--- a/README.md
+++ b/README.md
@@ -27,5 +27,5 @@
- https://iquaejmlprpqktob4i7dtdczkc5lzb6gtexbaznpoaczbu33tvv5viad.onion
+ https://7vzoqkxebjx3ax3yt6kvfo4nxk5hksltmajvd3u7whrz54q43xvsb5ad.onion
(self-signed cert)
diff --git a/admin_log.md b/admin_log.md
index 5147b12..0150f78 100644
--- a/admin_log.md
+++ b/admin_log.md
@@ -1,4 +1,21 @@
+## 2019-08-14
+
+Wiped and re-installed device with bionic, tor SSH service, and encrypted
+volume (img file).
+
+eotk git rev is `c51d59fb118b752957f5dfcddfac37a0ee83f180` (same as last time.
+
+V3 onion addess is:
+
+ 7vzoqkxebjx3ax3yt6kvfo4nxk5hksltmajvd3u7whrz54q43xvsb5ad.onion
+
+Installed (and used) mkcert this time while prototyping. To get the rootCA.pem file:
+
+ cat `mkcert -CAROOT`/rootCA.pem > /private/eotk/mkcert_testing_snakeoil_rootCA.pem
+
+`scp` this file locally and follow [directions](https://github.com/alecmuffett/eotk/blob/8e64328350526ef533aec1c3dca215feb94bfdb9/docs.d/ADDING-A-ROOT-CERTIFICATE-TO-TOR-BROWSER.md) to add to torbrowser for testing.
+
## 2019-07-15
Upgraded to git `c51d59fb118b752957f5dfcddfac37a0ee83f180` to try new v3
diff --git a/device_setup.md b/device_setup.md
index 00d5101..4912d2f 100644
--- a/device_setup.md
+++ b/device_setup.md
@@ -9,22 +9,14 @@ OS: Ubuntu 16.04 "xenial" (as per EOTK supported)
## OS Install
-Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
+Download an Ubuntu 18.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot
menu and select the USB drive (I didn't use UEFI).
Install as english/USA.
-Hostname: ia-onion1
-
-User: eotk
-Password: eotk-changeme
-
-Did not encrypt homedir; want device to come back up automatically after a
-power fault.
-
-Select unencrypted full LVM volume.
+Select use whole disk with LVM.
Select "install security upgrades automatically".
@@ -32,6 +24,11 @@ Install:
- standard system utilities
- OpenSSH server
+Hostname: ia-onion1
+
+User: eotk
+Password: eotk-changeme
+
Have grub overwrite MBR
Reboot, pull USB drive, login as eotk.
@@ -90,4 +87,77 @@ passwd) to install your personal SSH key in `authorized_keys2`.
TODO: should probably just disable password login entirely, and use root shell
in person if we need to recover?
-Ok, now ready for service setup following `prototyping.md`.
+Install tor to set up remote SSH access:
+
+ # follow directions at https://2019.www.torproject.org/docs/debian.html.en
+ # for bionic upstream
+ # should get tor 0.4 or newer
+
+ sudo apt install tor
+
+Add to /etc/tor/torrc (for v3 onion service):
+
+ HiddenServiceDir /var/lib/tor/ssh_hidden_service
+ HiddenServiceVersion 3
+ HiddenServicePort 22 127.0.0.1:22
+
+ # uncomment this one
+ Log notice file /var/log/tor/notices.log
+
+Restart tor (`sudo service tor restart`). Get hidden service/secret:
+
+ sudo cat /var/lib/tor/ssh_hidden_service/hostname
+
+Add to your local (laptop) torbrowser (or whatever) config:
+
+ HidServAuth <hostname>.onion <stealth_secret>
+
+Add to local (laptop) ssh config:
+
+ Host ia-onion1
+ HostName <hostname>.onion
+ User eotk
+ proxyCommand ncat --proxy 127.0.0.1:9150 --proxy-type socks5 %h %p
+
+Or:
+
+ torsocks ssh eotk@<hostname>.onion
+
+Note that the Tor Browser Bundle default local proxy port is now 9150; the
+regular tor daemon when run as itself (not part of TBB) listens on port 9050.
+
+Ok, now set up a 1GByte encrypted partition for EOTK et al, using LUKS:
+
+ sudo mkdir -p /private
+ sudo dd if=/dev/urandom of=/private.img bs=1M count=1000
+ sudo cryptsetup luksFormat /private.img
+ # YES
+ # enter strong/long password
+
+ sudo cryptsetup luksOpen /private.img eotk_private_volume
+ sudo mkfs.ext4 /dev/mapper/eotk_private_volume
+ sudo mount /dev/mapper/eotk_private_volume /private
+ sudo chown -R eotk:eotk /private
+
+To mount/unlock the partition (eg, after a reboot):
+
+ sudo cryptsetup luksOpen /private.img eotk_private_volume
+ sudo mount /dev/mapper/eotk_private_volume /private
+ sudo /etc/init.d/eotk-init.sh stop
+ sudo /etc/init.d/eotk-init.sh start
+
+These commands should be put in an `~/after_reboot.sh` file on the device.
+
+Ensure that you can SSH in over tor, then reboot the NUC and make sure you can
+still SSH in.
+
+Install mkcert:
+
+ sudo apt install libnss3-tools
+ # download from https://github.com/FiloSottile/mkcert/releases
+ # install in /usr/local/bin
+
+ mkcert -install
+
+Ok, now ready for service setup following `prototyping.md` (bionic section).
+
diff --git a/prototyping.md b/prototyping.md
index d8be735..915a485 100644
--- a/prototyping.md
+++ b/prototyping.md
@@ -1,4 +1,50 @@
+## ia-onion1 (NUC) bionic
+
+An Intel NUC running Ubuntu 18.04, following `device_setup.md` notes.
+
+ mkdir -p /private/eotk
+ cd /private/eotk
+ screen -S eotk
+
+ git clone https://github.com/alecmuffett/eotk.git src
+ cd src
+ ./opt.d/install-everything-on-ubuntu-18.04.sh
+ ./eotk make-scripts
+
+ cat archive_org.tconf
+ #set project archive_org
+ #hardmap %NEW_V3_ONION% archive.org us
+
+ ./eotk config archive_org.tconf
+
+ cat archive_org.conf
+ # example, not actual results
+ #set project archive_org
+ #hardmap c6srwspz6764tcyn archive.org us
+
+ # edit file to remove comments and add...
+ #
+ # set x_from_onion_value 1
+ # set preserve_csv tld-ao,archive\\.org,i,archive.org
+ # set ssl_mkcert 1
+
+ ./eotk config archive_org.conf
+
+ ./eotk start archive_org
+
+Set up scripts:
+
+ sudo cp eotk-init.sh /etc/init.d && sudo update-rc.d eotk-init.sh defaults
+
+ # copy line from head of eotk-housekeeping.sh
+ crontab -e
+
+After all this, needed to re-enable default tor (for SSH service):
+
+ sudo systemctl enable tor
+ sudo service tor start
+
## wbgrp-svc206.us.archive.org Log
A cluster VM, running Ubuntu 16.04.