path: root/device_setup.md
diff options
authorBryan Newbold <bnewbold@archive.org>2019-08-14 15:32:26 -0700
committerBryan Newbold <bnewbold@archive.org>2019-08-14 15:32:26 -0700
commitcf8bc7d7cec5dde44f422d5abfe051fa4dafeb3f (patch)
tree4ac3ed5b10ea60333ad6633d22b4b088b0d142ed /device_setup.md
parent05ad577e5b65c825fdb7c6e86715208f9aa6365a (diff)
Diffstat (limited to 'device_setup.md')
1 files changed, 81 insertions, 11 deletions
diff --git a/device_setup.md b/device_setup.md
index 00d5101..4912d2f 100644
--- a/device_setup.md
+++ b/device_setup.md
@@ -9,22 +9,14 @@ OS: Ubuntu 16.04 "xenial" (as per EOTK supported)
## OS Install
-Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
+Download an Ubuntu 18.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot
menu and select the USB drive (I didn't use UEFI).
Install as english/USA.
-Hostname: ia-onion1
-User: eotk
-Password: eotk-changeme
-Did not encrypt homedir; want device to come back up automatically after a
-power fault.
-Select unencrypted full LVM volume.
+Select use whole disk with LVM.
Select "install security upgrades automatically".
@@ -32,6 +24,11 @@ Install:
- standard system utilities
- OpenSSH server
+Hostname: ia-onion1
+User: eotk
+Password: eotk-changeme
Have grub overwrite MBR
Reboot, pull USB drive, login as eotk.
@@ -90,4 +87,77 @@ passwd) to install your personal SSH key in `authorized_keys2`.
TODO: should probably just disable password login entirely, and use root shell
in person if we need to recover?
-Ok, now ready for service setup following `prototyping.md`.
+Install tor to set up remote SSH access:
+ # follow directions at https://2019.www.torproject.org/docs/debian.html.en
+ # for bionic upstream
+ # should get tor 0.4 or newer
+ sudo apt install tor
+Add to /etc/tor/torrc (for v3 onion service):
+ HiddenServiceDir /var/lib/tor/ssh_hidden_service
+ HiddenServiceVersion 3
+ HiddenServicePort 22
+ # uncomment this one
+ Log notice file /var/log/tor/notices.log
+Restart tor (`sudo service tor restart`). Get hidden service/secret:
+ sudo cat /var/lib/tor/ssh_hidden_service/hostname
+Add to your local (laptop) torbrowser (or whatever) config:
+ HidServAuth <hostname>.onion <stealth_secret>
+Add to local (laptop) ssh config:
+ Host ia-onion1
+ HostName <hostname>.onion
+ User eotk
+ proxyCommand ncat --proxy --proxy-type socks5 %h %p
+ torsocks ssh eotk@<hostname>.onion
+Note that the Tor Browser Bundle default local proxy port is now 9150; the
+regular tor daemon when run as itself (not part of TBB) listens on port 9050.
+Ok, now set up a 1GByte encrypted partition for EOTK et al, using LUKS:
+ sudo mkdir -p /private
+ sudo dd if=/dev/urandom of=/private.img bs=1M count=1000
+ sudo cryptsetup luksFormat /private.img
+ # YES
+ # enter strong/long password
+ sudo cryptsetup luksOpen /private.img eotk_private_volume
+ sudo mkfs.ext4 /dev/mapper/eotk_private_volume
+ sudo mount /dev/mapper/eotk_private_volume /private
+ sudo chown -R eotk:eotk /private
+To mount/unlock the partition (eg, after a reboot):
+ sudo cryptsetup luksOpen /private.img eotk_private_volume
+ sudo mount /dev/mapper/eotk_private_volume /private
+ sudo /etc/init.d/eotk-init.sh stop
+ sudo /etc/init.d/eotk-init.sh start
+These commands should be put in an `~/after_reboot.sh` file on the device.
+Ensure that you can SSH in over tor, then reboot the NUC and make sure you can
+still SSH in.
+Install mkcert:
+ sudo apt install libnss3-tools
+ # download from https://github.com/FiloSottile/mkcert/releases
+ # install in /usr/local/bin
+ mkcert -install
+Ok, now ready for service setup following `prototyping.md` (bionic section).