Sunday, May 10, 2015

HOWTO - SSH auto login to your Raspberry Pi with Putty

Install PuTTY, PuTTYgen, And Pageant on your Windows system

First we need to install PuTTY, PuTTYgen, and Pageant on our Windows system. All we need to do is download the exectuable files (.exe) and save them somewhere, e.g. on the desktop. We don't need to install them as they are standalone applications. To start them, we only need to double-click them.
Download the following files from the PuTTY download page and save them on your Windows system, e.g. on the desktop:
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe

Create A profile with settings for your Server

In PuTTY, you can create profiles for connections to your various SSH servers, so you don't have to type in the settings again when you want to connect to a certain server again.
Let's create a profile for our 192.168.0.100 server. Start PuTTY by double-clicking its executable file. You are now in the category Session (see the tree on the left side of the screenshot). Enter 192.168.0.100 under Host Name (or IP address), enter 22 under Port and select SSH under Protocol:




























Then go to Connection -> Data and specify the username with that you want to log in to your SSH server under Auto-login username. In this article I use root:





























Then go to Session again. Under Saved Sessions enter a name for the profile, e.g. 192.168.0.100 or any other string that lets you remember for which server the profile is. Then click on Save:





























The next time you use PuTTY, you can simply select the appropriate profile from the Saved Sessions text area, click on Load and then Open.
Now we can connect to our SSH server simply by clicking on Open.





























If you connect to the server for the first time, a security warning pops up. This is because PuTTY doesn't know the server's host key yet, so it is safe to click on Yes. (If this happens again later on, this can mean that another server is now running under the same IP address, or that someone has broken in and changed the key.)






















We have saved the username with which we connect in our profile settings, so we don't have to type it here again. We only have to specify that user's password:












Generate A Private/Public Key Pair

We can use PuTTYgen to create a private/public key pair. Start it by double-clicking its executable file. Make sure you select SSH-2 RSA under Type of key to generate and specify 1024 as the Number of bits in a generated key. Then click on Generate:





























Please move the mouse pointer over the blank area during the key generation to generate some randomness:






























Now a private/public key pair has been generated. Under Key comment, you can enter any comment; normally you use your email address here. Then specify a Key passphrase and repeat it under Confirm passphrase. You'll need that passphrase to log in to SSH with your new key. Then click on Save publick key and save it in some safe location on your computer. You are free to choose a filename and extension, but it should be one that lets you remember for which system it is.





















































Then click on Save private key. You can save it in the same location as the public key - it should be a location that only you can access and that you don't lose! (If you lose the keys and have disabled username/password logins, then you can't log in anymore!) Again, you're free to choose a filename, but this time the extension must be .ppk:





























Then copy the public key from the PuTTYgen window:

























Save The Public Key On The Server

Then log in to your SSH server (if you have closed the previous SSH session already), still with the username and password, and paste the public key into the file ~/.ssh/authorized_keys2 (in one line!) like this:

mkdir ~/.ssh
chmod 700 ~/.ssh
vi ~/.ssh/authorized_keys2
That file must be write/readable only by that user, so we run
chmod 600 ~/.ssh/authorized_keys2

Attach The Private Key To The PuTTY Profile

Now launch PuTTY again and load the profile of your SSH server (192.168.0.100):




























Then go to SSH -> Auth and click on Browse:




























Browse your file system and select your previously created private key:






















































Then go to Session again and click on Save:





























Now we have attached the private key to our 192.168.0.100 PuTTY profile.


Our First Key-Based Login

Now everything is ready for our first key-based login to our SSH server. Click on Open:



As you can see, the public key is now used for authentication, and you are asked for the passphrase:











Disable Username/Password Logins

Up to now, you can log in with your private/public key pair and still with username/password logins, so if someone doesn't attach a private key to his PuTTY session, he will be asked for a username and password. So to achieve a better security, we must disable the username/password logins (you should do this only when you know that your key-based logins are working, because if they aren't and you disable username/password logins, then you have a problem...).

To disable the username/password logins, we must modify the sshd configuration file. On Debian/Ubuntu systems, it's /etc/ssh/sshd_config. You should set Protocol to 2 (1 is insecure and should not be used!), PasswordAuthentication to no, and UsePAM to no (or comment out the UsePAM line), e.g. like this:

vi /etc/ssh/sshd_config

[...]
Protocol 2
PasswordAuthentication no
UsePAM no
[...]


Then restart sshd. On Debian/Ubuntu, you can do it like this:
/etc/init.d/ssh restart

Now if you open a PuTTY session without your private key attached, you shouldn't be able to log in anymore.

Let Pageant Remember Your Key Passphrase

Whenever you use your key-based login now, you still have to specify your key passphrase. This can be annoying if you connect to the SSH server multiple times a day. Fortunately, you can tell the passphrase to Pageant which will then provide the passphrase whenever you log in to your SSH server.
You can start Pageant by double-clicking its executable file, afterwards, you should see Pageant running in the taskbar:

















Now double-click the Pageant icon in the taskbar. The following window comes up. Click on Add Key:























Browse your filesystem and select your private key:


























Then enter the passphrase for the private key:
























The key is now listed in Pageant's key list. Click on Close:
























As long as Pageant is running in the taskbar, you can log in to your SSH server without providing the passphrase - this is done by Pageant:























When you stop Pageant, it forgets all keys, so the next time you start Pageant you must add the keys again. This can also be annoying, but to prevent this, we can create a shortcut on the desktop to the Pageant executable. Right-click the Pageant executable and select Create Shortcut.
You should now find a shortcut. Right-click it and go to Properties.
Under Target, you will now find the path to pageant.exe, e.g. "C:\Users\SomeUser\Desktop\pageant.exe" (if there are no spaces in your path, you don't need the quotation marks). You can now simply add the location of your private key to that line, for example if you private key is C:\putty\my_keys\private_key_192.168.0.100.ppk then the line should look like this:

"C:\Users\SomeUser\Desktop\pageant.exe" C:\putty\my_keys\private_key_192.168.0.100.ppk
if there are spaces in the path to your private key, you must wrap it in quotation marks again, e.g. like this:

"C:\Users\SomeUser\Desktop\pageant.exe" "C:\directory with lots of spaces in name\my keys\private_key_192.168.0.100.ppk"
Now when you double-click on the Pageant shortcut, Pageant will automatically load your private key and ask you for the passphrase. Enter it, and that's it.

HOWTO - Install ceni network manager on Raspberry Pi


First of all, the custom ARM distribution of Kali Linux comes loaded with Network-Manager, which is the default way of doing network configurations in Kali Linux.

In my application for the Raspberry Pi, I only wanted to use the command line environment over a SSH session, but still be able to do a lot of network configuration, this seemed a problem with network-manager because of the fact that you couldn't easily manage it in the command line environment.

In addition to the default Debian-Style network management with the /etc/network/interfaces file and ifup/ifdown scripts, I wanted something which was easier to manage, perhaps something with some kind of a GUI. (I already hear you say GUI in command line??) Yes it's possible, Linux has something called curses interface, in which some applications are in the possibility to display a text based GUI.

For the Kali Linux distribution for the Raspberry Pi, which I suspect that runs on Debian under the hood, I came up with wicd and ceni as replacement network managers, I selected to go with ceni.

Now before I could install another network manager, I first needed to get rid of the old network manager, to remove enter the following:


  • apt-get remove network-manager
  • apt-get autoremove


To get Ceni, download the ceni Debian package at Siduction repository:

Install the downloaded package with the following command:
  • dpkg -i ceni_2.38_all.deb
   
The installation will generate some error because of missing dependencies, to correct this, execute the following to install the missing dependencies:
  • apt-get -f install
  
To launch ceni, just type:
  • ceni

Raspberry Pi - Mobile Hotspot with Kali Linux

Recently I was playing with the idea to create a working 3G mobile hotspot from a Raspberry Pi, loaded with Kali Linux.
One can think of numerous reasons for having such a device handy, for example if your Smart Phone still doesn't have mobile hotspot functionality, Kali Linux has a lot of tools to make this work flawlessly, hence my selection ;-)

So there I was with my idea, I had no clue where to start, but after reading on the Kali Linux site I stumbled upon their downloads page where they have pre-built images, also for the Raspberry Pi.

I downloaded the Kali Linux 1.0.6a image for the Raspberry Pi onto my desktop from the link below, it came as a compressed file (apparently LMZA2 compression)
After unzipping this with 7-Zip, I had my kali-Linux-1.0.6a-rpi.img file ready to put on to my SSD card.
You will need to download the win32 disk imager from Source Forge to be able to put this onto your SSD card.

After writing my kali-Linux-1.0.6a-rpi.img file onto my SSD card, I plugged my SSD into my freshly purchased Raspberry Pi box and booted it up while connected to my HDMI screen.
It booted properly into Kali Linux with Xfce as window manager, and was able to login to the box with root as login and toor as default password, default there was network-manager set up which got me a DHCP address, so no problem for the initial network connection.

I'm a real CLI lover, so the first thing which I did is make some tweaks which allowed me to work more easily with the CLI environment:

I edited my ~/.bashrc file to turn on CLI colorization:

# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -lA'
alias l='ls $LS_OPTIONS -l'
I replaced the default network-manager on the RPi with ceni, this is a network manager which uses the /etc/network/interfaces file and ifup/ifdown scripts to manage the network side of things, because it gave me the most straight forward network experience, also tried nmcli and wicd-curses, but uninstalled these because of odd behavior.

First I installed ceni network manager:

Download the ceni Debian package at Siduction repository:

Install the pagkage:
The installation will generate some error because of missing dependencies, to correct this, execute the following:
To launch ceni:

The first time U run ceni it will complain about network-manager which is running, select to use ceni and shutdown network-manager, after doing this just exit ceni.
If you're happy with your DHCP IP, you don't need to do anything here, if you want to set a fixed IP you can use ceni to reconfigure your eth0 interface, but, don't do this if you're ssh'd into the box, because you'll loose connection while reconfiguring the interface.

If ssh'd into the box just edit your /etc/network/interfaces file and replace:
auto eth0
iface eth0 inet dhcp

with:
auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
gateway 192.168.1.254


Secondly: I disabled and uninstalled network-manager:

root@kali:~# apt-get remove network-manager
root@kali:~# apt-get autoremove
  
Now's the time to reboot your Raspberri Pi to test your new network configuration, if all went ok, your IP address will be up after the reboot.

Now for the G3 broadband part of things, I will be using three packages:

- PPP
The PPP package will install the point to point protocol daemon, which will manage the connection between you and your 3g provider. On the version of Kali that we're currently using, this package comes already preinstalled.

- Sakis3g
Sakis3g is a script used to make a 3g connection. You need to be able to provide a few details: your APN, the PIN for your sim card and your username and password if your provider requires them.
In my case, I purchased a Huawei E303 dongle, and a prepaid sim card from a local providere where I live.
You can grab a copy of the script on the Sourceforge website and set it up as follows:

Before going further, you should attempt to make a 3g connection using the sakis3g script alone, proving everything you've done up till now works. Sakis3g has an interactive mode, which will prompt you for information regarding your 3g connection. In the terminal window, type:
and follow the prompts on screen. If you have no APN user or password, enter '0'. Once a connection has been made, make sure you can browse the internet, or issue a ping from the terminal window:

- UMTSkeeper
UMTSkeeper is used to automatically reconnect you to the internet if your connection drops, it nails your connection up, and keeps it up.
Download and set up UMTSkeeper with the following commands:

Now to make sure that Sakis3g and UMTSkeeper will work correctly together we move the Sakis3g script into the umtskeeper folder that we just created:

root@kali:~/umtskeeper# mv ~/sakis3g ~/umtskeeper/sakis3g
Now test UMTSkeeper. The command at first may look a bit confusing (the details are for my connection):

./umtskeeper --sakisoperators "USBINTERFACE='0' OTHER='USBMODEM' USBMODEM='12d1:1506' APN='CUSTOM_APN' CUSTOM_APN='safaricom' SIM_PIN='1234' APN_USER='saf' APN_PASS='data'" --sakisswitches "--sudo --console" --devicename 'Huawei' --log --silent --monthstart 8 --nat 'no'

Breaking it down a little, these are the areas that you will need to change:
USBMODEM: The Device ID we found using the lsusb command earlier
CUSTOM_APN, APN_USER, APN_PASS, SIM_PIN: Information about your sim card and your providers data network.

A full breakdown of the paramaters can be found on the UMTSKeeper site.

Once you are satisfied UMTSKeeper is working in harmony with Sakis3g, we can edit /etc/rc.local so that it starts when the operating system boots. In the terminal window, type:

and add the following single line, edited to show your path to the umtsfolder you found with the 'pwd' command earlier:

PATH GOES HERE/umtskeeper --sakisoperators "USBINTERFACE='0' OTHER='USBMODEM' USBMODEM='12d1:1506' APN='CUSTOM_APN' CUSTOM_APN='safaricom' SIM_PIN='1234' APN_USER='saf' APN_PASS='data'" --sakisswitches "--sudo --console" --devicename 'Huawei' --log --silent --monthstart 8 --nat 'no' &

Now exit, saving your changes, and reboot your Raspberry Pi.  Upon reboot your Raspberri Pi will be connected over 3g and keep your connection hammered up.

This concludes the Mobile broadband part of things, so now U have internet, now still need to have a Wifi access point for wireless clients to connect to and a DHCP server to give them an IP and a DNS server address.



For the wireless part we will be configuring hostapd.
To install this package:

After installation we need to modify the hostapd configuration file:

Uncomment and set DAEMON_CONF to the absolute path of a hostapd configuration file and hostapd will be started during system boot:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Save and close the file. Next create a text file called /etc/hostapd/hostapd.conf with the following contents:
# interface on which people will connect to your AP
interface=wlan0
# the bridge interface
bridge=br0
# the wireless driver to use (this default one will do in most cases)
driver=nl80211
# (IN == INDIA, UK == United Kingdom, US == United States and so on )
country_code=BE
# the name of your network that others will see
ssid=nixcraft
# Set operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g)
hw_mode=b
# the Wifi channel on which to run your AP
channel=6
# the encryption of your access point
wpa=2
# your wireless password
wpa_passphrase=password
# key management algorithm
wpa_key_mgmt=WPA-PSK
# Set cipher suites (encryption algorithms)
wpa_pairwise=TKIP
#Set cipher suites (encryption algorithms)
rsn_pairwise=CCMP
auth_algs=1
# Accept all MAC addresses
macaddr_acl=0



Save and close the file.

How Do I start / stop / restart AP?

Use the following commands:
# /etc/init.d/hostapd start
# /etc/init.d/hostapd stop
# /etc/init.d/hostapd restart

Step #3: Configure /etc/network/interfaces

You can setup wlan0 in standalone mode or bridge it with eth0. The bridge mode will open your wireless client to access rest of the LAN and you will able to connect to the Internet. Most user bridge the wireless interface with the AP's Internet-connected interface.

Set br0 (wlan0+eth0) in bridge mode

You need to install bridge-utils package for configuring the Linux Ethernet bridge:
# apt-get install bridge-utils 


Step #3: Configure /etc/network/interfaces

You can setup wlan0 in standalone mode or bridge it with eth0. The bridge mode will open your wireless client to access rest of the LAN and you will able to connect to the Internet. Most user bridge the wireless interface with the AP's Internet-connected interface.

Set br0 (wlan0+eth0) in bridge mode

You need to install bridge-utils package for configuring the Linux Ethernet bridge:
# apt-get install bridge-utils


Edit /etc/network/interfaces, enter:
# vi /etc/network/interfaces
Modify or set config as follows:

 
auto lo br0
iface lo inet loopback
 
# wireless wlan0
allow-hotplug wlan0
iface wlan0 inet manual
 
# eth0 connected to the ISP router
allow-hotplug eth0
iface eth1 inet manual
 
# Setup bridge
iface br0 inet static
    bridge_ports wlan0 eth1
    address 192.168.1.11
    netmask 255.255.255.0
    network 192.168.1.0
    ## isp router ip, 192.168.1.2 also runs DHCPD ##
    gateway 192.168.1.2
    dns-nameservers 192.168.1.2
 
Save and close the file. At this stage I recommend that you reboot the computer or restart all services as follows (may not work over remote ssh session):
# /etc/init.d/networking restart
# /etc/init.d/hostapd restart

OR
# reboot