InstallSsh
pragma section-numbers on
NOTE: The following guide is written for an IT2005 OS. For IT2006 OS see InstallSsh2006.
MoinMoinWiki Macro: Anchor(prerequisities)
Prerequisities
Required
- X Terminal Emulator, see catalog, xterm
Recommended
- root-access, see HowDoiBecomeRoot
- Needed for changing the passwords and for running the SSH server as root
There are currently two choices for SSH client and server for Nokia 770: Dropbear and OpenSSH (Todo: Explain the differences)
MoinMoinWiki Macro: Anchor(dropbear_server_main)
Dropbear SSH server
MoinMoinWiki Macro: Anchor(dropbear_server_installing)
Installing
Download dropbear-key and dropbear-server from http://nohar.nerim.net/n770/ and install them in that order using the Application installer in the Control panel.
MoinMoinWiki Macro: Anchor(dropbear_server_preparing)
Preparing
If you don't have a root-access to your device, the only authentication method is to use public key and log in as a normal user. If that is the case, skip to the section Public key authentication.
MoinMoinWiki Macro: Anchor(dropbear_server_passwd)
Password authentication
Before launching the server, it is strongly recommended that you change passwords for user and for root. The more secure way is to disable the root login and if the root is needed, login with user and use sudo gainroot. If you don't change user password, you won't be able to authenticate with password because user's default password is not known. It might be even scrambled so no-one would know it.
Warning: 'If you run server as root and do not disable root login or change root's password, it is a huge security risk and gives possibility for anyone to login into your device as root using default root's password' "rootme". You have been warned.
MoinMoinWiki Macro: Anchor(dropbear_server_passwd_change)
Changing passwords
To change the passwords you need to have a root access to your device. See HowDoiBecomeRoot
Open xterm and become root
$ sudo gainroot
Root shell enabled
BusyBox v1.00 (Debian 2:20041102-11) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
Change the user's password
# passwd user Changing password for user Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. New password: Re-enter new password: Password changed.
Change the root's password. Please consider disabling the root login and using instead sudo gainroot.
# passwd root Changing password for root Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. New password: Re-enter new password: Password changed.
Or optionally disable root login. This doesn't disable the ability to use sudo gainroot.
# passwd -l root Password changed.
MoinMoinWiki Macro: Anchor(dropbear_server_key)
Public key authentication
To connect to SSH server running on Nokia 770 without passwords, you must have a RSA public and a private key. The Dropbear SSH server doesn't seem to accept DSA keys. The public key is stored at the server in ~/.ssh/authorized_keys-file and the private key is stored at the client. Usually in the file ~/.ssh/id_rsa.
If you have already generated the RSA keypair at your client, you can use those. Just add the public key to the server's authorized_keys-file. To get the public key-file to the Nokia 770, use USB, bluetooth, mail ...
The authorized_keys-file has one key at each line:
options
- ssh-rsa
base64_encoded_key comment
MoinMoinWiki Macro: Anchor(dropbear_server_key_create)
Creating RSA keypair
The easiest way to generate RSA keypair is to use the client computer. If you have windows machine, I suggest to use this manual. You can also use other programs like SecureCRT, but some of them creates public key in propietary format, which must be fixed to authorized_keys-format.
Create ssh keys with the client computer
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/xxx/.ssh/id_rsa): Enter passphrase (empty for no passphrase): ************** Enter same passphrase again: ************* Your identification has been saved in /home/xxx/.ssh/id_rsa Your public key has been saved in /home/xxx/.ssh/id_rsa.pub The key fingerprint is: d0:b9:30:13:f2:81:b5:09:1d:xx:xx:xx:xx:xx:xx:xx xxx@host
Copy the /home/xxx/.ssh/id_rsa.pub to the Nokia 770 with USB, bluetooth, email, www-server, etc.. and put it in ~/.ssh/authorized_keys.
Change permissions of .ssh-folder and authorized_keys-file, so those are readable only by user
$ chmod 400 ~/.ssh/authorized_keys $ chmod 700 ~/.ssh
MoinMoinWiki Macro: Anchor(dropbear_server_starting)
Starting server
The Dropbear SSH server can be run either by the regular user or by root. If launched by root, server will listen in port 22 and accept both root and user login. Otherwise it will listen in port 2222 and allow only user login.
If you don't have a root-access to your device, the only choice is to run server as normal user using port 2222 allowing only user to login. You can still use sudo getroot to become root.
Before you start the server, check which user you are currently
$ whoami user
That can also be seen from the character which is seen just after the current path and before the edit area of the terminal/console. For normal user it shows "$" and for root it shows "#".
When you are finished with passwords and/or keys, start the server
/var/lib/install/etc/init.d/dropbear-server start
Depending on which user you started the server with, it prints out for the normal user
I'm beeing run as regular user, I will listen to port 2222 Starting Dropbear SSH server: dropbear.
or for the root just
Starting Dropbear SSH server: dropbear.
You can check that the SSH server is running
$ ps ax | grep dropbear 209 5 user 584 S /var/lib/install/usr/sbin/dropbear -d /var/ 286 0 user 360 S grep dropbear
In the second column is seen that the server is running as a ordinary user.
MoinMoinWiki Macro: Anchor(dropbear_server_stopping)
Stopping server
Stop the SSH server
/var/lib/install/etc/init.d/dropbear-server stop
Depending on which user you started the server with, it prints out for the normal user
I'm beeing run as regular user, I will listen to port 2222 Stopping Dropbear SSH server: dropbear.
or for the root just
Stopping Dropbear SSH server: dropbear.
Sometimes the script doesn't shut the server down so it should be checked whether the server is still running
$ ps ax | grep dropbear 302 6 user 584 S /var/lib/install/usr/sbin/dropbear -d /var/ 302 7 user 1088 S /var/lib/install/usr/sbin/dropbear -d /var/ 302 9 user 908 S /var/lib/install/usr/sbin/dropbear -d /var/ 305 7 user 360 S grep dropbear
As it can be seen, there is actually three Dropbear SSH server-processes still running. To kill them manually
kill 3026 kill 3027 kill 3029
Check again
$ ps ax | grep dropbear 306 9 user 360 S grep dropbear
Now they are all gone.
MoinMoinWiki Macro: Anchor(dropbear_server_auto)
Starting/stopping server automatically
Become root and create a symlink that will make the Dropbear SSH server to start and stop automatically
$ sudo gainroot (output supressed) # ln -s /var/lib/install/etc/init.d/dropbear-server /etc/rc2.d/S20dropbear-server
Using SCP
You will need to install dropbear-key, dropbear-server and dropbear-client (yep, that's 3 packages) to be able to scp to your Nokia 770.
Dropbear SSH client
Installing
Installing dropbear client is straightforward, install dropbear client package from http://nohar.nerim.net/n770 and start in an xterm /var/lib/install/usr/bin/dbclient
When you get can't connect
When the client reports the error 'connection to ... exited: No auth methods could be used.', you can set 'PasswordAuthentication yes' in the sshd_config on the server you're trying to connect to. For more information, see halfway down this IRC log (around 22:04)
Make sure you log in as user@.
Set up aliases for the ssh and scp clients
This section shows you how to set up aliases to the Dropbear-equivalent ssh, ssh-keygen, and scp clients on your 770 to easily connect to other machines.
Creating scripts locally or via ssh
Open xterm, or connect via ssh into your 770 and become root
$ sudo gainroot
Root shell enabled
BusyBox v1.00 (Debian 2:20041102-11) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
Change folder
# cd /usr/bin
Create scripts with echo-command. You can type every character if you like, but the easier way is to copy commands from here and paste them to terminal/console.
ssh
# echo '#!/bin/sh' > ssh # echo '/var/lib/install/usr/bin/dbclient -i ~/.ssh/id_dsa $*' >> ssh
scp
# echo '#!/bin/sh' > scp # echo '/var/lib/install/usr/bin/scp -i ~/.ssh/id_dsa $*' >> scp
ssh-keygen
# echo '#!/bin/sh' > ssh-keygen # echo '/var/lib/install/usr/bin/dropbearkey $*' >> ssh-keygen
Check scripts with cat-command (Optional)
For example ssh:
# cat ssh #!/bin/sh /var/lib/install/usr/bin/dbclient -i ~/.ssh/id_dsa $*
Change permissions
# chmod 755 ssh scp ssh-keygen
Leave root
# exit
Creating scripts by using scp (or other file transfer)
On your desktop/development machine (in a temporary working directory), create the following files:
ssh
#!/bin/sh /var/lib/install/usr/bin/dbclient -i ~/.ssh/id_dsa $*
scp
#!/bin/sh /var/lib/install/usr/bin/scp -i ~/.ssh/id_dsa $*
ssh-keygen
#!/bin/sh /var/lib/install/usr/bin/dropbearkey $*
On your desktop, scp those files into your user home directory on the 770
scp ssh scp ssh-keygen user@myipaddress:
SSH into the 770, become root, and, change permissions and copy the files to /usr/bin
cd /usr/home sudo gainroot chmod 755 ssh scp ssh-keygen cp ssh scp ssh-keygen /usr/bin
Leave root
# exit
Generate a dsa-key for outgoing connections
As user, generate a dsa key for outgoing connections
ssh-keygen -t dss -f /home/user/.ssh/id_dsa
The above command will output your public key to the tty, but does not save it. Capture the whole key (up to, but not including, the fingerprint:...) in your desktop's terminal, save it to a file called id_dsa.pub and scp that file to /usr/home/.ssh/id_dsa.pub on your 770 (optional). More importantly, append that key to ~/.ssh/authorized_keys on any machine you want to ssh into from the 770.
Now, you should be able to open the x-terminal on the 770, and just type ssh me@example.com and you will be ssh'ed in. Similarly, you can scp file me@example.com:file. You can turn off the PasswordAuthentication: yes flag in sshd_config that you set in the above step.
A note about keys
The Dropbear ssh daemon seems to only accept RSA keys for incoming ssh connections. However, it can use DSA for outgoing keys, which the example above shows.
Quick How-To Summary
Here's how to easily and quickly set up the SSH daemon:
1 . Download and install the following packages from Index of /n770 in this order: 1 . dropbear-key 2 . dropbear-server 3 . dropbear-client
2 . Gain root access to your device by following the instructions at HowDoiBecomeRoot - Maemo Wiki:
sudo gainroot
3 . Lock root account to disable root login through SSH (sudo gainroot continues to work, of course):
passwd -l root
4 . Set a (SECURE!) password for your user account so you can login through SSH (by default, the user account has no password and is locked):
passwd user
5 . Start the SSH daemon manually:
/var/lib/install/etc/init.d/dropbear-server start
6 . Automatically start SSH at device startup (optional - only do this after making sure it works properly):
ln -s /var/lib/install/etc/init.d/dropbear-server /etc/rc2.d/S20dropbear-server
MoinMoinWiki Macro: Anchor(OpenSSH)
OpenSSH SSH client and server
There can be only one SSH server listening to the default port, so if you've set up Dropbear SSH to be autostarted as root before, you'll have to disable its autostart and shut it down. If Dropbear is running as user and bound to a port other than 22, both could be run simultaneously, but that might be too taxing for the Nokia 770's limited resources. It's better to run only one SSH server, so before installing OpenSSH server, it's best to remove Dropbear:
Remove Dropbear ssh server
1 . Switch to Root: sudo gainroot
2 . Stop Dropbear server: /var/lib/install/etc/init.d/dropbear-server stop
3 . Remove autostart link: rm /etc/rc2.d/S20dropbear-server
Install OpenSSH SSH client and server
1 . Download the package openssh and install it. http://maemo.org/maemowiki/ApplicationCatalog2006 for 2006 Edition package and instructions
2 . Switch to Root: sudo gainroot
3 . For security reasons, lock root account (passwd -l root) and set password (passwd user), or use public key authentication.
4 . Set up OpenSSH: /var/lib/install/sbin/setup-ssh.sh
5 . Start OpenSSH server: /etc/init.d/sshd start