From cf8bc7d7cec5dde44f422d5abfe051fa4dafeb3f Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 14 Aug 2019 15:32:26 -0700 Subject: update/iterate --- README.md | 2 +- admin_log.md | 17 +++++++++++ device_setup.md | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++------- prototyping.md | 46 +++++++++++++++++++++++++++++ 4 files changed, 145 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 21a4ebc..33dceb7 100644 --- a/README.md +++ b/README.md @@ -27,5 +27,5 @@ - https://iquaejmlprpqktob4i7dtdczkc5lzb6gtexbaznpoaczbu33tvv5viad.onion + https://7vzoqkxebjx3ax3yt6kvfo4nxk5hksltmajvd3u7whrz54q43xvsb5ad.onion (self-signed cert) diff --git a/admin_log.md b/admin_log.md index 5147b12..0150f78 100644 --- a/admin_log.md +++ b/admin_log.md @@ -1,4 +1,21 @@ +## 2019-08-14 + +Wiped and re-installed device with bionic, tor SSH service, and encrypted +volume (img file). + +eotk git rev is `c51d59fb118b752957f5dfcddfac37a0ee83f180` (same as last time. + +V3 onion addess is: + + 7vzoqkxebjx3ax3yt6kvfo4nxk5hksltmajvd3u7whrz54q43xvsb5ad.onion + +Installed (and used) mkcert this time while prototyping. To get the rootCA.pem file: + + cat `mkcert -CAROOT`/rootCA.pem > /private/eotk/mkcert_testing_snakeoil_rootCA.pem + +`scp` this file locally and follow [directions](https://github.com/alecmuffett/eotk/blob/8e64328350526ef533aec1c3dca215feb94bfdb9/docs.d/ADDING-A-ROOT-CERTIFICATE-TO-TOR-BROWSER.md) to add to torbrowser for testing. + ## 2019-07-15 Upgraded to git `c51d59fb118b752957f5dfcddfac37a0ee83f180` to try new v3 diff --git a/device_setup.md b/device_setup.md index 00d5101..4912d2f 100644 --- a/device_setup.md +++ b/device_setup.md @@ -9,22 +9,14 @@ OS: Ubuntu 16.04 "xenial" (as per EOTK supported) ## OS Install -Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive. +Download an Ubuntu 18.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive. Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot menu and select the USB drive (I didn't use UEFI). Install as english/USA. -Hostname: ia-onion1 - -User: eotk -Password: eotk-changeme - -Did not encrypt homedir; want device to come back up automatically after a -power fault. - -Select unencrypted full LVM volume. +Select use whole disk with LVM. Select "install security upgrades automatically". @@ -32,6 +24,11 @@ Install: - standard system utilities - OpenSSH server +Hostname: ia-onion1 + +User: eotk +Password: eotk-changeme + Have grub overwrite MBR Reboot, pull USB drive, login as eotk. @@ -90,4 +87,77 @@ passwd) to install your personal SSH key in `authorized_keys2`. TODO: should probably just disable password login entirely, and use root shell in person if we need to recover? -Ok, now ready for service setup following `prototyping.md`. +Install tor to set up remote SSH access: + + # follow directions at https://2019.www.torproject.org/docs/debian.html.en + # for bionic upstream + # should get tor 0.4 or newer + + sudo apt install tor + +Add to /etc/tor/torrc (for v3 onion service): + + HiddenServiceDir /var/lib/tor/ssh_hidden_service + HiddenServiceVersion 3 + HiddenServicePort 22 127.0.0.1:22 + + # uncomment this one + Log notice file /var/log/tor/notices.log + +Restart tor (`sudo service tor restart`). Get hidden service/secret: + + sudo cat /var/lib/tor/ssh_hidden_service/hostname + +Add to your local (laptop) torbrowser (or whatever) config: + + HidServAuth .onion + +Add to local (laptop) ssh config: + + Host ia-onion1 + HostName .onion + User eotk + proxyCommand ncat --proxy 127.0.0.1:9150 --proxy-type socks5 %h %p + +Or: + + torsocks ssh eotk@.onion + +Note that the Tor Browser Bundle default local proxy port is now 9150; the +regular tor daemon when run as itself (not part of TBB) listens on port 9050. + +Ok, now set up a 1GByte encrypted partition for EOTK et al, using LUKS: + + sudo mkdir -p /private + sudo dd if=/dev/urandom of=/private.img bs=1M count=1000 + sudo cryptsetup luksFormat /private.img + # YES + # enter strong/long password + + sudo cryptsetup luksOpen /private.img eotk_private_volume + sudo mkfs.ext4 /dev/mapper/eotk_private_volume + sudo mount /dev/mapper/eotk_private_volume /private + sudo chown -R eotk:eotk /private + +To mount/unlock the partition (eg, after a reboot): + + sudo cryptsetup luksOpen /private.img eotk_private_volume + sudo mount /dev/mapper/eotk_private_volume /private + sudo /etc/init.d/eotk-init.sh stop + sudo /etc/init.d/eotk-init.sh start + +These commands should be put in an `~/after_reboot.sh` file on the device. + +Ensure that you can SSH in over tor, then reboot the NUC and make sure you can +still SSH in. + +Install mkcert: + + sudo apt install libnss3-tools + # download from https://github.com/FiloSottile/mkcert/releases + # install in /usr/local/bin + + mkcert -install + +Ok, now ready for service setup following `prototyping.md` (bionic section). + diff --git a/prototyping.md b/prototyping.md index d8be735..915a485 100644 --- a/prototyping.md +++ b/prototyping.md @@ -1,4 +1,50 @@ +## ia-onion1 (NUC) bionic + +An Intel NUC running Ubuntu 18.04, following `device_setup.md` notes. + + mkdir -p /private/eotk + cd /private/eotk + screen -S eotk + + git clone https://github.com/alecmuffett/eotk.git src + cd src + ./opt.d/install-everything-on-ubuntu-18.04.sh + ./eotk make-scripts + + cat archive_org.tconf + #set project archive_org + #hardmap %NEW_V3_ONION% archive.org us + + ./eotk config archive_org.tconf + + cat archive_org.conf + # example, not actual results + #set project archive_org + #hardmap c6srwspz6764tcyn archive.org us + + # edit file to remove comments and add... + # + # set x_from_onion_value 1 + # set preserve_csv tld-ao,archive\\.org,i,archive.org + # set ssl_mkcert 1 + + ./eotk config archive_org.conf + + ./eotk start archive_org + +Set up scripts: + + sudo cp eotk-init.sh /etc/init.d && sudo update-rc.d eotk-init.sh defaults + + # copy line from head of eotk-housekeeping.sh + crontab -e + +After all this, needed to re-enable default tor (for SSH service): + + sudo systemctl enable tor + sudo service tor start + ## wbgrp-svc206.us.archive.org Log A cluster VM, running Ubuntu 16.04. -- cgit v1.2.3