aboutsummaryrefslogtreecommitdiffstats
path: root/device_setup.md
blob: 4912d2fa0a45030b675015af7b68d6b1d8fd464a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
Hardware:
- Intel NUC
- CPU: i5-5250U
- RAM: 4 GByte
- 500 GByte SSD (overkill, but was what we had)

OS: Ubuntu 16.04 "xenial" (as per EOTK supported)

## OS Install

Download an Ubuntu 18.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.

Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot
menu and select the USB drive (I didn't use UEFI).

Install as english/USA.

Select use whole disk with LVM.

Select "install security upgrades automatically".

Install:
- standard system utilities
- OpenSSH server

Hostname: ia-onion1

User: eotk
Password: eotk-changeme

Have grub overwrite MBR

Reboot, pull USB drive, login as eotk.

    sudo apt update
    sudo apt upgrade

    sudo apt install git

    cd ~
    git clone https://git.bnewbold.net/ia-onion-service
    cd ia-onion-service

    # you can cut this line out into a shell script or something instead of
    # re-typing
    sudo apt install build-essential cowsay manpages-dev apt-transport-https
        curl git htop iftop iotop iputils-ping less molly-guard mtr-tiny netbase
        net-tools openssh-server screen sudo tcpdump tree unattended-upgrades
        util-linux vim-nox wget ntp fail2ban rkhunter debsums whois lynis
        etckeeper

    # whoops, that seemed to install postfix! don't want that!
    sudo apt remove postfix

Ok, some crude security lock-down...

edit `/etc/ssh/sshd_config`:

    # only these two of the keys
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key

    PermitRootLogin no

    # hard to disable until keys on the device
    #PasswordAuthentication yes

    X11Forwarding no

    # disable sftp
    #Subsystem ...

Then `sudo service ssh restart`.

For passwordless sudo:

    sudo visudo
    # on '%sudo' line, replace the last "ALL" with "NOPASSWD: ALL"

Ok, ready for SSH login. Look up IP with `ip addr` and login with password as
`eotk`.

Change password with `passwd`. On laptop, run `ssh-copy-id` (and enter new
passwd) to install your personal SSH key in `authorized_keys2`.

TODO: should probably just disable password login entirely, and use root shell
in person if we need to recover?

Install tor to set up remote SSH access:

    # follow directions at https://2019.www.torproject.org/docs/debian.html.en
    # for bionic upstream
    # should get tor 0.4 or newer

    sudo apt install tor

Add to /etc/tor/torrc (for v3 onion service):

    HiddenServiceDir /var/lib/tor/ssh_hidden_service
    HiddenServiceVersion 3
    HiddenServicePort 22 127.0.0.1:22

    # uncomment this one
    Log notice file /var/log/tor/notices.log

Restart tor (`sudo service tor restart`). Get hidden service/secret:

    sudo cat /var/lib/tor/ssh_hidden_service/hostname

Add to your local (laptop) torbrowser (or whatever) config:

    HidServAuth <hostname>.onion <stealth_secret>

Add to local (laptop) ssh config:

    Host ia-onion1
        HostName <hostname>.onion
        User eotk
        proxyCommand ncat --proxy 127.0.0.1:9150 --proxy-type socks5 %h %p

Or:

    torsocks ssh eotk@<hostname>.onion

Note that the Tor Browser Bundle default local proxy port is now 9150; the
regular tor daemon when run as itself (not part of TBB) listens on port 9050.

Ok, now set up a 1GByte encrypted partition for EOTK et al, using LUKS:

    sudo mkdir -p /private
    sudo dd if=/dev/urandom of=/private.img bs=1M count=1000
    sudo cryptsetup luksFormat /private.img
    # YES
    # enter strong/long password

    sudo cryptsetup luksOpen /private.img eotk_private_volume
    sudo mkfs.ext4 /dev/mapper/eotk_private_volume
    sudo mount /dev/mapper/eotk_private_volume /private
    sudo chown -R eotk:eotk /private

To mount/unlock the partition (eg, after a reboot):

    sudo cryptsetup luksOpen /private.img eotk_private_volume
    sudo mount /dev/mapper/eotk_private_volume /private
    sudo /etc/init.d/eotk-init.sh stop
    sudo /etc/init.d/eotk-init.sh start

These commands should be put in an `~/after_reboot.sh` file on the device.

Ensure that you can SSH in over tor, then reboot the NUC and make sure you can
still SSH in.

Install mkcert:

    sudo apt install libnss3-tools
    # download from https://github.com/FiloSottile/mkcert/releases
    # install in /usr/local/bin

    mkcert -install

Ok, now ready for service setup following `prototyping.md` (bionic section).