Application:OpenSSH

From WebOS Internals
(Redirected from OpenSSH Install)
Jump to navigation Jump to search

This page is currently available in two languages::

Australia.png USA.png Application:OpenSSH
Germany.png Application:OpenSSH-DE

Introduction

OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.

OpenSSH is available for installation in Preware. Just Type "OpenSSH" in the Preware home screen to search for and install the package.

Please refer to the OpenSSH Home Page and read the OpenSSH Manual Pages before using this package.

There are two ways to generate the keys below. The PC one assumes you have a user account name and password to gain access with putty I assume it is not possible to complete the steps for that method without setting up a user account. I find the webOS method to be much easier to follow. And I imagine if you are new to linux and accessing linux on webOS then you will find the webOS method is the one you will want to follow. I also recommend the webOS method if you have trouble following the PC method or find it too wordy.

Generate Keys

Mac OSX (tested with Lion)

Start a new terminal session in Mac OS and su to root. Once in root on your mac:

ssh-keygen

Accept the default filename by pressing Enter at the prompt. Enter a passphrase for your private key file. You will use this passphrase later, so remember it. After the key file is generated you need to copy your public key over to your device. Attach your TouchPad as a USB and copy the files: (if applicabble, replace "HP\ Touchpad" with whatever your device is named)

 cp /var/root/.ssh/id_rsa.pub /Volumes/HP\ TouchPad/


Windows PC (PuTTY)

If you are connecting to your webOS device from a Windows host computer, please read the Secure Linux/UNIX access with PuTTY and OpenSSH Tech Tip and follow those instructions for generating your SSH keys. For the section "Install public key on Linux system", you will need to put the "Public Key for pasting into OpenSSH authorized_keys file" into a /home/root/.ssh/authorized_keys file.

Optware installs openssh under /opt, so you should replace any references to /bin, /sbin, and /etc in the OpenSSH documentation with /opt/bin, /opt/sbin and /opt/etc respectively.

Generate Keys from webOS

Launch Preware and install Terminal if you haven't previously installed it. If Terminal does not work, try XTerm instead. It will be used to create your secure SSH keys for use with OpenSSH directly on your webOS device. Once Terminal is installed launch it and follow these steps:

To go to the root directory type:

cd /

Then type:

/opt/bin/ssh-keygen

to create the private and public keys. After a short time (about a minute) accept the default filename by pressing Enter at the prompt. Enter a passphrase for your private key file. You will use this passphrase later, so remember it.

Now the secret key needs to be transferred to the PC you want to access linux on webOS from. First copy the secret key to the area accessible from drive mode. To do this, type:

cp /home/root/.ssh/id_rsa* /media/internal/

We are all done using Terminal so you can close it by tossing it off the top of the screen like you would for any other application. Next you need to connect your device to the PC with the USB cable and tap drive mode. Once drive mode is active open the drive letter for the device on your PC (ex. "PALM PRE (E:)"). Copy the "id_rsa" and "id_rsa.pub" files to your PC somewhere you will remember it's location (ex. to the desktop). You can also copy the files with a word document extension ".doc" and email it to yourself. You will have to rename them back.

cp /home/root/.ssh/id_rsa /media/internal/id_rsa.doc

Install keys on your device

Now disconnect the device from USB mode and load up a terminal on your TouchPad (or use Novacom). Once in a terminal, you are going to move the key files into the right locations and set permissions on the appropriate files.

cat /media/internal/id_rsa.pub >> /home/root/.ssh/authorized_keys
rm /media/internal/id_rsa.pub

This is necessary to load the keys.

chmod 700 ~/.ssh


Connecting to your device

Using the key with SSH in Terminal

Put your private key file in the standard location ~/.ssh/id_rsa on the machine you are using to connect to the Pre or you can inform ssh by using the -i switch as follow:

user@host:~$ ssh -i /path/to/private/key remoteuser@remotehost

(the -vvv option is for verbose debug messages, which you can remove if everything works):

ssh root@<touchpad ip> -vvv

Use the password you used to create the key at the beginning.


Using a key with PuTTY

If you have the webOS SDK installed you will already have PuTTY (in \SDK\bin\ of the folder the SDK was installed in). If you don't have the webOS SDK installed you can install it to get PuTTY or you can download PuTTY. You will also need PuTTYgen. If you will be using winSCP you already have it (in start menu>winSCP>key tools) or download it from the same site as PuTTY. If this is your first time using PuTTY to access linux on webOS or wish to verify the configuration is correct please follow these steps:

  • If you created the key on the device, follow these steps to convert it to a format PuTTY can use. You will only have to do this once.
    • Open PuTTYgen.
    • Select the conversions menu.
    • Select import key.
    • Choose the id_rsa file you copied to the PC from your device and click open.
    • Enter the passphrase you entered during key generation and click ok.
      • You will see all sorts of information in the window at this point.
    • Click the save private key button.
    • Enter a name for it (no need to type the ppk extension) and save it somewhere you will remember it's location.
    • Close PuTTYgen


  • Open PuTTY.
  • Enter the IP address assigned to your webOS device (ex. 192.168.1.100).
  • Enter 22 for the port number.
  • Select the radio button for SSH
  • Select the Data section under Connection on the left.
  • Enter root for the auto-login username.
  • Select the Auth section under SSH under Connection on the left.
  • Click the Browse button for private key file.
  • Select the ppk file you made with PuTTYgen and click open.
  • Select Session on the left.
  • Enter a name in the Saved Session box and click the save button.
    • This will allow you to load the settings for future use.
  • Make sure your device's wifi is on.
    • You can install nodoze to keep wifi on if need be.
  • Click open in PuTTY to connect.

If everything is configured correctly you should see the following in the terminal window on your pc:

Using username "root".
Authenticating with public key "imported-openssh-key"
Passphrase for key "imported-openssh-key":
  • Enter the passphrase you created during key generation.

You should now see:

root@palm-webos-device:/var/home/root#

Congratulations you now have access to linux on your webOS device. You may now begin using the command prompt to work with anything you need or want to use the command prompt for. There is all sorts of stuff you can use it for so if you haven't already check out the rest of the webos-internals site for a number of things you can do. You may also want to setup winSCP for a explorer like windows interface to access and work with files etc as well.

Using the Filezilla SFTP Client

Make sure you have installed the OpenSSH SFTP server from Preware

For SFTP using SSH2, FileZilla utilizes the excellent PuTTY tools. To allow the use of RSA / DSA key files with Filezilla, you'll need to download one more tool from PuTTY: Pageant.

Make sure you have converted your key to PuTTY's PPK format listed above.

Now run Pageant. In your system tray, you'll see the Pageant icon appear. Right-click the icon and select "Add Key" and select your private key (PPK) file. Follow the prompt to enter your pass phrase and you're done.

Now simply launch FileZilla and connect to your server using SFTP using SSH with a root and an empty password. Don't forget to close pageant when you're done.

As you may or may not know, FileZilla can be easily carried around on portable media such as a USB stick and used from any PC. This also applies to the PuTTY tools, so if you stick Pageant and your PPK key file on to, for example, a USB stick, you can now access your server from any Windows PC.

Filezilla Alternative Method Using Unprotected Key

In the Edit - Settings menu of the FileZilla client, you can [Add key file...] under Connection - SFTP, and FileZilla can use the public key authentication in the site manager with the 'Interactive' Logontype. However, the .ppk file is converted to unprotected one if the original .ppk file is password-protected (FileZilla can do that for you when importing the file). As of 3.3.2.1, a password-protected key file is not supported yet.

Using the key with winSCP

  • Open winSCP.
  • Enter the IP address assigned to your webOS device (ex. 192.168.1.100) in the host name box.
  • Enter 22 for the port number.
  • Enter root in the user name box.
  • Leave winSCP open and follow these steps:
    • Open PuTTYgen (startmenu>winSCP>key tools).
    • Select the conversions menu.
    • Select import key.
    • Choose the id_rsa file you copied to the PC from your device and click open.
    • Enter the passphrase you entered during key generation and click ok.
      • You will see all sorts of information in the window at this point.
    • Click the save private key button.
    • Enter a name for it (no need to type the ppk extension) and save it somewhere you will remember it's location.
    • Close PuTTYgen and go back to winSCP where we left off.
  • Click the "..." button for the private key file box.
  • Select the ppk file you made with PuTTYgen and click open.
  • Click the save button and enter a name and click ok.
    • This will allow you to load the settings for future use.
  • You should now be seeing the stored sessions list with the session you just saved.
  • Make sure your device's wifi is on.
    • You can install nodoze to keep wifi on if need be.
  • Select the session you saved and click the login button.
  • Enter the passphrase you created during key generation.

If everything is configured correctly you should see a window with a list of folders similar to explorer. Congratulations you now have access to linux on your webOS device. You may now begin working with files on the device. You can do stuff like copy, delete, etc file like in windows. You can also edit files. Certain actions will require read write mode (mount -o remount,rw / entered at the command prompt in PuTTY or terminal, mount -o remount,ro / to go back to read only mode).


Troubleshooting / Hints

Unable to connect

It's required that the upstart script is modified. As of 08/28/11, there were some issues with upstart not working and OpenSSH not loading.

vi /var/palm/event.d/mobi.optware.openssh

Comment out the existing start and stop commands and add the new stuff below it. As of writing this, it's still not clear why there were issues starting with the org.webosinternals.optware dependency, so feel free to update with better script or more details:

#start on stopped finish and started org.webosinternals.optware
#stop on runlevel [!2]

start on stopped finish
# and started org.webosinternals.optware

# Stop when the Software Update tool is about to install an update.
# upstart restarts the job when installation is complete.
stop on started start_update

Exit out of vi and save

:wq!

You can test that sshd starts and view any key errors by typing:

/opt/sbin/sshd -D

If you receive an error, "Permissions 0777 for '/opt/etc/openssh/ssh_host_rsa_key' are too open." you should change the permissions on this key file to 600:

chmod 600 /opt/etc/openssh/ssh_host_rsa_key

and remove write permission on the parent directory

chmod go-w /opt/etc/openssh

If you receive a message, /opt/sbin/sshd -D Could not load host key: /opt/etc/openssh/ssh_host_ecdsa_key, you can create the key manually:

/opt/bin/ssh-keygen -t ecdsa -f /opt/etc/openssh/ssh_host_ecdsa_key -N ''
chmod 600 /opt/etc/openssh/ssh_host_ecdsa_key

Once this is done, you should be able to start sshd:

start mobi.optware.openssh


If you have any other problems, be sure to take a look at the log files on your TouchPad:

grep ssh /var/log/messages

Check that the service is running:

ps aux | grep sshd
status mobi.optware.openssh

Try connecting to the TouchPad locally:

ssh localhost

Enabling non-root Password logins via SSH using the command line

Access the command line on your Pre via Terminal, SSH, or Novaterm.

Type the following at the root prompt to allow write access to your / disk:

mount -o remount,rw /

Edit the mobi.optware.openssh file in the /etc/event.d/ or /var/palm/event.d directory (depending on the version of openssh). Find the exec line and change

"PasswordAuthentication no"

to

"PasswordAuthentication yes"

The line should now look like this:

exec /opt/sbin/sshd -D -p 22 -o "PasswordAuthentication yes" -o "PermitRootLogin without-password"

Save and exit, then restart the openssh service as follows:

stop mobi.optware.openssh
start mobi.optware.openssh

Once you are finished make sure you make your / disk read-only again (this is the default):

mount -o remount,ro /

Do not change anything else. Now if you've created a username for yourself and set a password, you'll be able to log in with a password. After every Palm WebOS upgrade, you'll need to recreate any accounts other than root with adduser <account>, which will then prompt you to set a password.

Warning: It is strongly suggested that you set up another ssh key for any additional users instead of using the password authentication method. Just follow the steps above.

Enabling ssh over EVDO

Access the command line on your Pre via Terminal, SSH, or Novaterm.

Type the following at the root prompt to allow write access to your / disk:

mount -o remount,rw /

Edit the mobi.optware.openssh file in the /etc/event.d/ or /var/palm/event.d directory (depending on the version of openssh). Find the iptables lines and remove the "-i eth0" clause. For example

 /usr/sbin/iptables -D INPUT -i eth0 -p tcp --dport 222 -j ACCEPT || /bin/true
 /usr/sbin/iptables -I INPUT -i eth0 -p tcp --dport 222 -j ACCEPT

becomes

 /usr/sbin/iptables -D INPUT -p tcp --dport 222 -j ACCEPT || /bin/true
 /usr/sbin/iptables -I INPUT -p tcp --dport 222 -j ACCEPT

Save and exit with ZZ or :wq, then restart the openssh service as follows:

stop mobi.optware.openssh
start mobi.optware.openssh

Once you are finished make sure you make your / disk read-only again (this is the default):

mount -o remount,ro /

Setting up ExpanDrive (SftpDrive)

[ed: I think these are directions for windows or mac]

Note: This requires access to the device's file system by any means.

  • Open ExpanDrive
  • Click "New drive..."
  • Type a name into the "Drive Name" box.
  • Type in the IP address of the device in the "Server" box.
  • Type "root" into the "Username" box.
  • Choose "Use a public key to log in..." from the "Authentication" drop-down.
  • Click "Create New Key Pair"
  • Choose "RSA (ssh-rsa)" from the "Key type" drop-down.
  • Click "Create Key Pairs".
  • Click "Ok".
  • Click "Export current Key Pair"
  • Click both "Export Private Key" and "Export Public Key" and save the files somewhere (remember where you saved them) and click "Ok".
  • Open the .pub file you saved in the previous step using a plain text editor.
  • Copy the contents of the entire file and paste it into "/var/home/root/.ssh/authorized_keys" (on the device) on the next line and save it.
  • Go back to ExpanDrive and click "Ok" on the still open "Public Key Authentication Properties" dialog.
  • Choose "Show the entire server" from the "Directory" drop-down.
  • Click "Connect" to connect and save the configuration.
  • After the connection process is complete, a new Explorer window will open and you will be in the "%DriveLetter%:\var\home\root" directory.