From cf8bc7d7cec5dde44f422d5abfe051fa4dafeb3f Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 14 Aug 2019 15:32:26 -0700 Subject: update/iterate --- device_setup.md | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 81 insertions(+), 11 deletions(-) (limited to 'device_setup.md') diff --git a/device_setup.md b/device_setup.md index 00d5101..4912d2f 100644 --- a/device_setup.md +++ b/device_setup.md @@ -9,22 +9,14 @@ OS: Ubuntu 16.04 "xenial" (as per EOTK supported) ## OS Install -Download an Ubuntu 16.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive. +Download an Ubuntu 18.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive. Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot menu and select the USB drive (I didn't use UEFI). Install as english/USA. -Hostname: ia-onion1 - -User: eotk -Password: eotk-changeme - -Did not encrypt homedir; want device to come back up automatically after a -power fault. - -Select unencrypted full LVM volume. +Select use whole disk with LVM. Select "install security upgrades automatically". @@ -32,6 +24,11 @@ Install: - standard system utilities - OpenSSH server +Hostname: ia-onion1 + +User: eotk +Password: eotk-changeme + Have grub overwrite MBR Reboot, pull USB drive, login as eotk. @@ -90,4 +87,77 @@ passwd) to install your personal SSH key in `authorized_keys2`. TODO: should probably just disable password login entirely, and use root shell in person if we need to recover? -Ok, now ready for service setup following `prototyping.md`. +Install tor to set up remote SSH access: + + # follow directions at https://2019.www.torproject.org/docs/debian.html.en + # for bionic upstream + # should get tor 0.4 or newer + + sudo apt install tor + +Add to /etc/tor/torrc (for v3 onion service): + + HiddenServiceDir /var/lib/tor/ssh_hidden_service + HiddenServiceVersion 3 + HiddenServicePort 22 127.0.0.1:22 + + # uncomment this one + Log notice file /var/log/tor/notices.log + +Restart tor (`sudo service tor restart`). Get hidden service/secret: + + sudo cat /var/lib/tor/ssh_hidden_service/hostname + +Add to your local (laptop) torbrowser (or whatever) config: + + HidServAuth .onion + +Add to local (laptop) ssh config: + + Host ia-onion1 + HostName .onion + User eotk + proxyCommand ncat --proxy 127.0.0.1:9150 --proxy-type socks5 %h %p + +Or: + + torsocks ssh eotk@.onion + +Note that the Tor Browser Bundle default local proxy port is now 9150; the +regular tor daemon when run as itself (not part of TBB) listens on port 9050. + +Ok, now set up a 1GByte encrypted partition for EOTK et al, using LUKS: + + sudo mkdir -p /private + sudo dd if=/dev/urandom of=/private.img bs=1M count=1000 + sudo cryptsetup luksFormat /private.img + # YES + # enter strong/long password + + sudo cryptsetup luksOpen /private.img eotk_private_volume + sudo mkfs.ext4 /dev/mapper/eotk_private_volume + sudo mount /dev/mapper/eotk_private_volume /private + sudo chown -R eotk:eotk /private + +To mount/unlock the partition (eg, after a reboot): + + sudo cryptsetup luksOpen /private.img eotk_private_volume + sudo mount /dev/mapper/eotk_private_volume /private + sudo /etc/init.d/eotk-init.sh stop + sudo /etc/init.d/eotk-init.sh start + +These commands should be put in an `~/after_reboot.sh` file on the device. + +Ensure that you can SSH in over tor, then reboot the NUC and make sure you can +still SSH in. + +Install mkcert: + + sudo apt install libnss3-tools + # download from https://github.com/FiloSottile/mkcert/releases + # install in /usr/local/bin + + mkcert -install + +Ok, now ready for service setup following `prototyping.md` (bionic section). + -- cgit v1.2.3