SSH - Public Key Authentication, please integrate

Post#1 by **Grisu1** » 28 Aug 2023, 10:54

Hello,

I am currently testing Porteus Kiosk for the visualization of the Smarthome, where I actually only need a halfway up to date browser.

The central configuration via a text file works very well! Also switching the monitor on and off via remote SSH commands. (export DISPLAY=":0"; xset dpms force off).

What is the distribution missing in my opinion?
1. SSH Public Key Authentication
The possibility of the central Porteus configuration text file to store a "id_rsa.pub" key,
which is then stored in the image under "authorized_keys".
So a passwordless login would be possible.

2. Browser Addon X-Frame-Options
Maybe someone has already had the problem of loading external sites in a visualization.
For this you usually need an addon ignore X-Frame headers in the browser.
Is there already something ready for this problem?

Thanks for tips

Post#2 by **Grisu1** » 29 Aug 2023, 18:58

Solution Number 2:
I could solve myself

Helpful for Smarthome visualisation where external pages should be loaded in the existing visualisation.
Chrome with Adblocking & Adult Content Filtering (Post by Grisu1 #95375)

Solution Number 1
Workarround: (you can integrade the pukey in central configuration with run_command)

Code: Select all

run_command=mkdir -p /root/.ssh ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAA.....W3clBpWk5ZY4li9 root@myworkstation" > /root/.ssh/authorized_keys ; chmod 600 /root/.ssh/authorized_keys &

Post#3 by **Rava** » 02 Sep 2023, 04:57

Grisu1 wrote: ↑
28 Aug 2023, 10:54
1. SSH Public Key Authentication
The possibility of the central Porteus configuration text file to store a "id_rsa.pub" key,
which is then stored in the image under "authorized_keys".

I think having all Kiosk images use the same "id_rsa.pub" key goes against the security idea of SSH keys?
It would have to be a key that is authenticated by some authority; and that costs money and must be renewed on occasion; which again costs money. When you create your own SSH public key (= a key you can trust since you made it yourself, and when you only use it for your own systems you can omit the authentication which means it costs you no money) you have to manually adjust the Kiosk ISO you want it to use.

Or am I wrong about the public SSH keys?

Post#4 by **Grisu1** » 02 Sep 2023, 07:06

Hello, thank for reply.

No, not a common key!
I have just tested it, and write the steps that need to be done.

The /etc/ssh/sshd_config is already correct as it is, or does not need to be modified as it already supports pubkey authentication.

What does the user have to do?
Create a key pair. Command [ssh-keygen] and [cat id_rsa.pub] on a Linux workstation or puTTYgen under Windows....
You should then be able to copy the output to the central Porteus configuration, and Porteus will write it to [.ssh/authorised_keys].

Code: Select all

	authorised_keys1=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8...lBpWk5ZY4oY9 root@debianstation
	authorised_keys2=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8...lBpWk5ZY4oY9 root@debianserver

What must Porteus do?
Write the content of the lines from the central Porteus configuration to [.ssh/authorised_keys] and set chmod 600

Post#5 by **Rava** » 02 Sep 2023, 07:23

Grisu1 wrote: ↑
02 Sep 2023, 07:06
No, not a common key!
I have just tested it, and write the steps that need to be done.

That's what I presumed.

Grisu1 wrote: ↑
02 Sep 2023, 07:06
What must Porteus do?
Write the content of the lines from the central Porteus configuration to [.ssh/authorised_keys] and set chmod 600

Could this part put into the modified ISO so that on next bootup it is available on all booted Kiosk systems?

Post#6 by **Grisu1** » 02 Sep 2023, 07:43

I have not tested that. Why go to all this trouble when something important could be easily implemented?

Post#7 by **Rava** » 02 Sep 2023, 07:46

Grisu1 wrote: ↑
02 Sep 2023, 07:43
Why go to all this trouble when something important could be easily implemented?

When you use a setup that has the ISO somewhere on a local server that serves its data to, like 20 or 30 host systems, that can quickly change what is more an what is less work.

In my book once editing one ISO is much less work than having to do the seemingly small task every time the systems boot up on all 30 or 40 systems.
And again on the next bootup. And once again on all machines after the next bootup. Rinseand repeat.

And when a machine is shut down and boots up during business hours it could be that the admin is not immediately aware of that and the user himself at that machine has neither the privileges nor usually the ability or knowledge to do it, aside from not having the key.

Post#8 by **Grisu1** » 02 Sep 2023, 07:55

I don't understand. An administrator will insert the keys once and that's it. The keys will rarely or never change. If I understood Porteus correctly, changes are only made if something has really changed in the central configuration?

Post#9 by **Rava** » 02 Sep 2023, 08:14

Grisu1 wrote: ↑
02 Sep 2023, 07:55
I don't understand. An administrator will insert the keys once and that's it.

When that is added in the running system, not in the ISO that gets booted, then that change will be lost on the next boot.

Post#10 by **Grisu1** » 02 Sep 2023, 08:42

Someone is beating around the bush

That's why I wrote a suggestion in the 4rd post about what the distro creator could do to support pubkey authentication. Should be a simple exercise.

For others who want to use SSH pubkey authentication already, the following works in the central configuration:

Code: Select all

run_command=mkdir -p /root/.ssh ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAA.....W3clBpWk5ZY4li9 root@myworkstation" > /root/.ssh/authorized_keys ; chmod 600 /root/.ssh/authorized_keys &

I have compiled the approaches to my questions in the 2nd post

Porteus