Development Team/Manual/Setup: Difference between revisions

Line 229:

== SSH Access ==

You will often want to be able to use file-transfer and remote-login operations to access your Sugar environment. We ~~generally~~ recommend using ssh-based access for working with your Sugar environment remotely.

You will often want to be able to use file-transfer and remote-login operations to access your Sugar environment. We recommend using ssh-based access for working with your Sugar environment remotely.

Note: If you are using sugar-jhbuild you likely do '''not''' need to follow these instructions (since you're already using a running Linux desktop that shares its login and file-system with the Sugar instance).

Line 240:

=== Password Based ===

Password-based SSH authentication is convenient and simple to set up, ~~but~~ it is far easier to crack than key-based access. ~~Consider using~~ key-based authentication ~~unless~~ you are ~~absolutely sure~~ that ~~no-one can reach~~ your ~~Sugar environment from untrusted networks (and maybe even then~~).

Password-based SSH authentication is convenient and simple to set up.

''(However, it is far easier to crack than key-based access. This is because a password can be guessed, especially if multiple automatic attacks are made. Attacks can arrive over a wireless network from hosts that you trust. It is more secure to use key-based authentication. Accept password-based authentication if you are confident that your network is secured.)''

Open a [[OLPC:Terminal]] activity and run:

Line 246:

Line 248:

passwd

which will prompt you to enter a password (and confirm it).

which will prompt you to enter a password (and confirm it). This enables remote access for the default user.

~~Note:~~ you ~~can~~ also set a password on the root account ~~by doing~~:

Since the default user can su, you should also set a password on the root account:

su root

passwd

~~in the terminal window. This is strongly recommended if you are going to allow remote access to your machine.~~

=== SSH Key Based ===

Line 261:

In summary, you create a private key which will be stored on your remote system and encrypted with a strong password. You transfer the public key (think of it as a lock) that corresponds to that key to the Sugar environment and install it as an "authenticated key" which can be used to log into the Sugar environment.

On your remote system, install SSH (Linux and ~~MacOS~~ will already have it installed, on Windows use the PuTTY program) and generate a new ssh key pair (following is for Linux~~/MacOS~~, refer to PuTTY's documentation for details on Windows):

On your remote system, install SSH (Linux and Mac OS X will already have it installed, on Windows use the PuTTY program) and generate a new ssh key pair (following is for Linux and Mac OS X, refer to PuTTY's documentation for details on Windows):

ssh-keygen

Line 269:

* Accept the defaults for key-type and size.

* If ssh-keygen asks if you want to overwrite a key say '''No''', you are about to destroy your current ssh key!

* Use a strong ~~pass-phrase~~ that you can remember easily (the ~~pass phrase~~ will need to be entered frequently unless you make use of an ~~ssh-~~agent such as offered by PuTTY or Gentoo's keychain)

* Use a strong passphrase that you can remember easily (the passphrase will need to be entered frequently unless you make use of an agent such as offered by PuTTY, ssh-agent or Gentoo's keychain)

~~This~~ will normally create a file in your ~/.ssh/ directory named id_rsa.pub (if you accepted the defaults). ~~You now need to copy~~ this file to your Sugar environment and add it to the contents of ~~your~~ ~/.ssh/authorized_keys file (you may need to create the file).

''ssh-keygen'' will normally create a file in your ~/.ssh/ directory named id_rsa.pub (if you accepted the defaults). Copy this file to your Sugar environment and add it to the contents of the ~/.ssh/authorized_keys file (you may need to create the file).

mkdir ~~~olpc~~/.ssh

mkdir ~/.ssh

cat id_rsa.pub >> ~~~olpc~~/.ssh/authorized_keys

cat id_rsa.pub >> ~/.ssh/authorized_keys

add your key to your keychain/ssh-agent application and you can now use SSH with just a single sign-on for many concurrent actions.

add your key to your keychain or ssh-agent application and you can now use SSH with just a single sign-on for many concurrent actions.

See: [[OLPC:Emulating the XO/Help_and_tips#SSH into qemu|SSH Into Qemu]] for Qemu-specific notes regarding port forwarding

@@ Line 229: / Line 229: @@
 == SSH Access ==
-You will often want to be able to use file-transfer and remote-login operations to access your Sugar environment.  We generally recommend using ssh-based access for working with your Sugar environment remotely.
+You will often want to be able to use file-transfer and remote-login operations to access your Sugar environment.  We recommend using ssh-based access for working with your Sugar environment remotely.
 Note: If you are using sugar-jhbuild you likely do '''not''' need to follow these instructions (since you're already using a running Linux desktop that shares its login and file-system with the Sugar instance).
@@ Line 240: / Line 240: @@
 === Password Based ===
-Password-based SSH authentication is convenient and simple to set up, but it is far easier to crack than key-based access.  Consider using key-based authentication unless you are absolutely sure that no-one can reach your Sugar environment from untrusted networks (and maybe even then).
+Password-based SSH authentication is convenient and simple to set up.
+''(However, it is far easier to crack than key-based access.  This is because a password can be guessed, especially if multiple automatic attacks are made.  Attacks can arrive over a wireless network from hosts that you trust.  It is more secure to use key-based authentication.  Accept password-based authentication if you are confident that your network is secured.)''
 Open a [[OLPC:Terminal]] activity and run:
@@ Line 246: / Line 248: @@
    passwd
-which will prompt you to enter a password (and confirm it).
+which will prompt you to enter a password (and confirm it).  This enables remote access for the default user.
-Note: you can also set a password on the root account by doing:
+Since the default user can su, you should also set a password on the root account:
   su root
   passwd
-in the terminal window.  This is strongly recommended if you are going to allow remote access to your machine.
 === SSH Key Based ===
@@ Line 261: / Line 261: @@
 In summary, you create a private key which will be stored on your remote system and encrypted with a strong password.  You transfer the public key (think of it as a lock) that corresponds to that key to the Sugar environment and install it as an "authenticated key" which can be used to log into the Sugar environment.
-On your remote system, install SSH (Linux and MacOS will already have it installed, on Windows use the PuTTY program) and generate a new ssh key pair (following is for Linux/MacOS, refer to PuTTY's documentation for details on Windows):
+On your remote system, install SSH (Linux and Mac OS X will already have it installed, on Windows use the PuTTY program) and generate a new ssh key pair (following is for Linux and Mac OS X, refer to PuTTY's documentation for details on Windows):
    ssh-keygen
@@ Line 269: / Line 269: @@
 * Accept the defaults for key-type and size.
 * If ssh-keygen asks if you want to overwrite a key say '''No''', you are about to destroy your current ssh key!
-* Use a strong pass-phrase that you can remember easily (the pass phrase will need to be entered frequently unless you make use of an ssh-agent such as offered by PuTTY or Gentoo's keychain)
+* Use a strong passphrase that you can remember easily (the passphrase will need to be entered frequently unless you make use of an agent such as offered by PuTTY, ssh-agent or Gentoo's keychain)
-This will normally create a file in your ~/.ssh/ directory named id_rsa.pub (if you accepted the defaults).  You now need to copy this file to your Sugar environment and add it to the contents of your ~/.ssh/authorized_keys file (you may need to create the file).
+''ssh-keygen'' will normally create a file in your ~/.ssh/ directory named id_rsa.pub (if you accepted the defaults).  Copy this file to your Sugar environment and add it to the contents of the ~/.ssh/authorized_keys file (you may need to create the file).
-  mkdir ~olpc/.ssh
+  mkdir ~/.ssh
-  cat id_rsa.pub >> ~olpc/.ssh/authorized_keys
+  cat id_rsa.pub >> ~/.ssh/authorized_keys
-add your key to your keychain/ssh-agent application and you can now use SSH with just a single sign-on for many concurrent actions.
+add your key to your keychain or ssh-agent application and you can now use SSH with just a single sign-on for many concurrent actions.
 See: [[OLPC:Emulating the XO/Help_and_tips#SSH into qemu|SSH Into Qemu]] for Qemu-specific notes regarding port forwarding