SSH - Public Key Authentication, please integrate
Forum rules
Porteus Kiosk section of the forum is unmaintained now. Its kept in a 'read only' mode for archival purposes.
Please use the kiosk contact page for directing your queries: https://porteus-kiosk.org/contact.html
Porteus Kiosk section of the forum is unmaintained now. Its kept in a 'read only' mode for archival purposes.
Please use the kiosk contact page for directing your queries: https://porteus-kiosk.org/contact.html
SSH - Public Key Authentication, please integrate
Hello,
I am currently testing Porteus Kiosk for the visualization of the Smarthome, where I actually only need a halfway up to date browser.
The central configuration via a text file works very well! Also switching the monitor on and off via remote SSH commands. (export DISPLAY=":0"; xset dpms force off).
What is the distribution missing in my opinion?
1. SSH Public Key Authentication
The possibility of the central Porteus configuration text file to store a "id_rsa.pub" key,
which is then stored in the image under "authorized_keys".
So a passwordless login would be possible.
2. Browser Addon X-Frame-Options
Maybe someone has already had the problem of loading external sites in a visualization.
For this you usually need an addon ignore X-Frame headers in the browser.
Is there already something ready for this problem?
Thanks for tips
I am currently testing Porteus Kiosk for the visualization of the Smarthome, where I actually only need a halfway up to date browser.
The central configuration via a text file works very well! Also switching the monitor on and off via remote SSH commands. (export DISPLAY=":0"; xset dpms force off).
What is the distribution missing in my opinion?
1. SSH Public Key Authentication
The possibility of the central Porteus configuration text file to store a "id_rsa.pub" key,
which is then stored in the image under "authorized_keys".
So a passwordless login would be possible.
2. Browser Addon X-Frame-Options
Maybe someone has already had the problem of loading external sites in a visualization.
For this you usually need an addon ignore X-Frame headers in the browser.
Is there already something ready for this problem?
Thanks for tips
Last edited by Grisu1 on 02 Sep 2023, 08:43, edited 1 time in total.
SSH - Public Key Authentication, please integrate
Solution Number 2:
I could solve myself
Helpful for Smarthome visualisation where external pages should be loaded in the existing visualisation.
Chrome with Adblocking & Adult Content Filtering (Post by Grisu1 #95375)
Solution Number 1
Workarround: (you can integrade the pukey in central configuration with run_command)
I could solve myself
Helpful for Smarthome visualisation where external pages should be loaded in the existing visualisation.
Chrome with Adblocking & Adult Content Filtering (Post by Grisu1 #95375)
Solution Number 1
Workarround: (you can integrade the pukey in central configuration with run_command)
Code: Select all
run_command=mkdir -p /root/.ssh ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAA.....W3clBpWk5ZY4li9 root@myworkstation" > /root/.ssh/authorized_keys ; chmod 600 /root/.ssh/authorized_keys &
Last edited by Grisu1 on 02 Sep 2023, 09:01, edited 3 times in total.
- Rava
- Contributor
- Posts: 5416
- Joined: 11 Jan 2011, 02:46
- Distribution: XFCE 5.01 x86_64 + 4.0 i586
- Location: Forests of Germany
2 Newbie Questions
I think having all Kiosk images use the same "id_rsa.pub" key goes against the security idea of SSH keys?
It would have to be a key that is authenticated by some authority; and that costs money and must be renewed on occasion; which again costs money. When you create your own SSH public key (= a key you can trust since you made it yourself, and when you only use it for your own systems you can omit the authentication which means it costs you no money) you have to manually adjust the Kiosk ISO you want it to use.
Or am I wrong about the public SSH keys?
Cheers!
Yours Rava
Yours Rava
2 Newbie Questions
Hello, thank for reply.
No, not a common key!
I have just tested it, and write the steps that need to be done.
The /etc/ssh/sshd_config is already correct as it is, or does not need to be modified as it already supports pubkey authentication.
What does the user have to do?
Create a key pair. Command [ssh-keygen] and [cat id_rsa.pub] on a Linux workstation or puTTYgen under Windows....
You should then be able to copy the output to the central Porteus configuration, and Porteus will write it to [.ssh/authorised_keys].
What must Porteus do?
Write the content of the lines from the central Porteus configuration to [.ssh/authorised_keys] and set chmod 600
No, not a common key!
I have just tested it, and write the steps that need to be done.
The /etc/ssh/sshd_config is already correct as it is, or does not need to be modified as it already supports pubkey authentication.
What does the user have to do?
Create a key pair. Command [ssh-keygen] and [cat id_rsa.pub] on a Linux workstation or puTTYgen under Windows....
You should then be able to copy the output to the central Porteus configuration, and Porteus will write it to [.ssh/authorised_keys].
Code: Select all
authorised_keys1=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8...lBpWk5ZY4oY9 root@debianstation
authorised_keys2=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8...lBpWk5ZY4oY9 root@debianserver
Write the content of the lines from the central Porteus configuration to [.ssh/authorised_keys] and set chmod 600
- Rava
- Contributor
- Posts: 5416
- Joined: 11 Jan 2011, 02:46
- Distribution: XFCE 5.01 x86_64 + 4.0 i586
- Location: Forests of Germany
2 Newbie Questions
That's what I presumed.
Could this part put into the modified ISO so that on next bootup it is available on all booted Kiosk systems?
Cheers!
Yours Rava
Yours Rava
2 Newbie Questions
I have not tested that. Why go to all this trouble when something important could be easily implemented?
- Rava
- Contributor
- Posts: 5416
- Joined: 11 Jan 2011, 02:46
- Distribution: XFCE 5.01 x86_64 + 4.0 i586
- Location: Forests of Germany
2 Newbie Questions
When you use a setup that has the ISO somewhere on a local server that serves its data to, like 20 or 30 host systems, that can quickly change what is more an what is less work.
In my book once editing one ISO is much less work than having to do the seemingly small task every time the systems boot up on all 30 or 40 systems.
And again on the next bootup. And once again on all machines after the next bootup. Rinseand repeat.
And when a machine is shut down and boots up during business hours it could be that the admin is not immediately aware of that and the user himself at that machine has neither the privileges nor usually the ability or knowledge to do it, aside from not having the key.
Cheers!
Yours Rava
Yours Rava
2 Newbie Questions
I don't understand. An administrator will insert the keys once and that's it. The keys will rarely or never change. If I understood Porteus correctly, changes are only made if something has really changed in the central configuration?
- Rava
- Contributor
- Posts: 5416
- Joined: 11 Jan 2011, 02:46
- Distribution: XFCE 5.01 x86_64 + 4.0 i586
- Location: Forests of Germany
2 Newbie Questions
When that is added in the running system, not in the ISO that gets booted, then that change will be lost on the next boot.
Cheers!
Yours Rava
Yours Rava
SSH - Public Key Authentication, please integrate
Someone is beating around the bush
That's why I wrote a suggestion in the 4rd post about what the distro creator could do to support pubkey authentication. Should be a simple exercise.
For others who want to use SSH pubkey authentication already, the following works in the central configuration:
I have compiled the approaches to my questions in the 2nd post
That's why I wrote a suggestion in the 4rd post about what the distro creator could do to support pubkey authentication. Should be a simple exercise.
For others who want to use SSH pubkey authentication already, the following works in the central configuration:
Code: Select all
run_command=mkdir -p /root/.ssh ; echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAA.....W3clBpWk5ZY4li9 root@myworkstation" > /root/.ssh/authorized_keys ; chmod 600 /root/.ssh/authorized_keys &