Similarly to what I wrote for Fedora 29, here is how I was able to create a Fedora 31 LXC container on an Ubuntu 18.04 (bionic) laptop.
Setting up LXC on Ubuntu
First of all, install lxc:
apt install lxc
echo "veth" >> /etc/modules
modprobe veth
turn on bridged networking by putting the following in
/etc/sysctl.d/local.conf:
net.ipv4.ip_forward=1
and applying it using:
sysctl -p /etc/sysctl.d/local.conf
Then allow the right traffic in your firewall
(/etc/network/iptables.up.rules in my case):
# LXC containers
-A FORWARD -d 10.0.3.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.3.0/24 -j ACCEPT
-A INPUT -d 224.0.0.251 -s 10.0.3.1 -j ACCEPT
-A INPUT -d 239.255.255.250 -s 10.0.3.1 -j ACCEPT
-A INPUT -d 10.0.3.255 -s 10.0.3.1 -j ACCEPT
-A INPUT -d 10.0.3.1 -s 10.0.3.0/24 -j ACCEPT
and apply these changes:
iptables-apply
before restarting the lxc networking:
systemctl restart lxc-net.service
Create the container
Once that's in place, you can finally create the Fedora 29 container:
lxc-create -n fedora31 -t download -- -d fedora -r 31 -a amd64
To see a list of all distros available with the download template:
lxc-create -n foo --template=download -- --list
Once the container has been created, disable AppArmor for it:
lxc.apparmor.profile = unconfined
since the AppArmor profile isn't working at the moment.
Logging in as root
Starting the container in one window:
lxc-start -n fedora31 -F
and attaching to a console:
lxc-attach -n fedora31
to set a root password:
passwd
Logging in as an unprivileged user via ssh
While logged into the console, I tried to install ssh:
$ dnf install openssh-server
Cannot create temporary file - mkstemp: No such file or directory
but it failed because TMPDIR is set to a non-existent directory:
$ echo $TMPDIR
/tmp/user/0
I found a fix and ran the following:
TMPDIR=/tmp dnf install openssh-server
then started the ssh service:
systemctl start sshd.service
Then I installed a few other packages as root:
dnf install vim sudo man
and created an unprivileged user with sudo access:
adduser francois -G wheel
passwd francois
I set this in /etc/ssh/sshd_config:
GSSAPIAuthentication no
to prevent slow ssh logins.
Now login as that user from the console and add an ssh public key:
mkdir .ssh
chmod 700 .ssh
echo "<your public key>" > .ssh/authorized_keys
chmod 644 .ssh/authorized_keys
You can now login via ssh. The IP address to use can be seen in the output of:
lxc-ls --fancy
In-flight and hotel WiFi can be quite expensive and often insist on charging users extra to connect multiple devices. In order to avoid that, it's possible to easily create a WiFi hotspot using NetworkManager and a external USB WiFi adapter.
Creating the hotspot
The main trick is to right-click on the NetworkManager icon in the status bar and select "Edit Connections..." (not "Create New WiFi Network..." despite the promising name).
From there click the "+" button in the lower right then "WiFi" as the Connection Type. I like to use the computer name as the "Connection name".
In the WiFi tab, set the following:
- SSID: machinename_nomap
- Mode: hotspot
- Device: (the device name of the USB WiFi adapter)
The _nomap suffix is there to opt out of the
Google and
Mozilla location services
which could allow anybody to lookup sightings of your device around the
World.
In the WiFi Security tab:
- Security: WPA & WPA2 Personal
- Password: (a 63-character random password generated using
pwgen -s 63)
While you may think that such a long password is inconvenient, it's now possible to add the network automatically by simply scanning a QR code on your phone.
In the IPv4 Settings tab:
- Method: Shared to other computers
Finally, in the IPv6 Settings tab:
- Method: Ignore
I ended up with the following config in
/etc/NetworkManager/system-connections/machinename:
[connection]
id=machinename
uuid=<long UUID string>
type=wifi
interface-name=wl...
permissions=
timestamp=1578533792
[wifi]
mac-address=<MAC>
mac-address-blacklist=
mode=ap
seen-bssids=<BSSID>
ssid=machinename_nomap
[wifi-security]
key-mgmt=wpa-psk
psk=<63-character password>
[ipv4]
dns-search=
method=shared
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=ignore
Firewall rules
In order for the packets to flow correctly, I opened up the following ports on my machine's local firewall:
-A INPUT -s 10.42.0.0/24 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -j ACCEPT
-A INPUT -d 224.0.0.251 -s 10.42.0.1 -j ACCEPT
-A INPUT -d 239.255.255.250 -s 10.42.0.1 -j ACCEPT
-A INPUT -d 10.42.0.255 -s 10.42.0.1 -j ACCEPT
-A INPUT -d 10.42.0.1 -s 10.42.0.0/24 -j ACCEPT
Thanks to a fellow VECTOR volunteer Nick Doyle, I found out that the International Space Station would be broadcasting slow-scan television images at the end of the year. I decided to try and pick those up with my handheld radio.
Planning
From the official announcement, I got the frequency (145.800 MHz) and the broadcast times.
Next I had to figure out when the ISS would be passing over my location. Most of the ISS tracking websites and applications are aimed at people wanting to see the reflection of the sun on the station and so they only list the passes during nighttime before the earth casts a shadow that would prevent any visual contacts.
Thankfully, Nick found a site which has a option to show all of the passes, visible or not and so I was able to get a list of upcoming passes over Vancouver.
Hardware
From a hardware point-of-view, I didn't have to get any special equipment. I used my Kenwood D72 and an external Comet SBB5 mobile antenna.
The only other pieces of equipment I used was a 2.5mm mono adapter which I used to connect a 3.5mm male-male audio cable in the speaker port of the radio and the microphone input of my computer.
Software
The software I used for the recording was Audacity set to a sampling rate of 48 kHz.
Then I installed qsstv and configured it to read input from a file instead of the sound card.
Results
Here is the audio I recorded from the first pass (65 degrees at the highest point) as well as the rendered image:
The second pass (60 degrees) was not as successful since I didn't hold the squelch open and you can tell from the audio recording that the signal got drowned in noise a couple of times. This is the rendering of that second pass:
Tips
The signal came through the squelch for only about a minute at the highest
point, so I found it best to open the squelch fully (F+Moni) as soon as
the bird is visible.
Another thing I did on a third pass (16 degrees at the highest point -- not particularly visible) was to plug the speaker out of my radio into a Y splitter so that I could connect it to my computer and an external speaker I could take outside with me. Since I was able to listen to the audio, I held the antenna and tried to point it at the satellite's general direction as well as varying the orientation of the antenna to increase the signal strength.
Up until recently, it was a pain to defend againt WPA2 brute-force attacks by using a random 63-character password (the maximum in WPA-Personal) mode). Thanks to Android 10 and iOS 11 supporting reading WiFi passwords from a QR code, this is finally a practical defense.
Generating the QR code
After installing the qrencode
package, run the following:
qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;"
substituting <SSID> for the name of your WiFi network and <PASSWORD> for
the 63-character password you hopefully generated with pwgen -s 63.
If your password includes a semicolon, then escape it like this:
"WIFI:T:WPA;S:<SSID>;P:pass\:word;;"
since iOS won't support the following (which works fine on Android):
'WIFI:T:WPA;S:<SSID>;P:"pass:word";;'
The only other pitfall I ran into is that if you include a trailing newline
character (for example piping echo "..." into qrencode as opposed to
echo -n "...") then it will fail on both iOS and Android.
Scanning the QR code
On iOS, simply open the camera app and scan the QR code to bring up a notification which allows you to connect to the WiFi network:
On Android, go into the WiFi settings and tap on the WiFi network you want to join:
then click the QR icon in the password field and scan the code:
In-browser alternative
If you can't do this locally for some reason, there is also an in-browser QR code generator with source code available.
Here is how I setup duplicity to use S3 as a backend while giving duplicity the minimum set of permissions to my Amazon Web Services account.
AWS Security Settings
First of all, I enabled the following general security settings in my AWS account:
- MFA with a U2F device
- no root user access keys
Then I set a password policy in the IAM Account Settings and turned off all public access in the S3 Account Settings.
Creating an S3 bucket
As a destination for the backups, I created a new backup-foobar S3
bucket keeping all of the
default options except for the
region
which I set to ca-central-1 to ensure that my data would stay in
Canada.
The bucket name can be anything you want as long as:
- it's not already taken by another AWS user
- it's a valid hostname (i.e. alphanumeric characters or dashes)
Note that I did not enable S3 server-side encryption since I will be encrypting the backups client-side using the support built into duplicity instead.
Creating a restricted user account
Then I went back into the Identity and Access Managment
console and created a new
DuplicityBackup policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:ListBucket",
"s3:DeleteObject",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::backup-foobar",
"arn:aws:s3:::backup-foobar/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
It's unfortunate that the unrestricted s3:ListAllMyBuckets permission has
to be granted, but in my testing, duplicity would error out without it. No
other permissions were needed.
The next step was to create a new DuplicityBackupHosts IAM group to which
I attached the DuplicityBackup policy.
Finally, I created a new machinename IAM user:
- Access: programmatic only
- Group:
DuplicityBackupHosts - Tags:
duplicity=1
and wrote down the access key and the access key secret.
Duplicity settings
Once that's all set, I was able to use duplicity using the following options:
--s3-use-new-style: apparently required on non-US regions--s3-use-ia: recommended pricing structure for backups--s3-use-multiprocessing: speeds up uploading of backup chunks
and used the following remote URL:
s3://s3.ca-central-1.amazonaws.com/backup-foobar/machinename
which hardcodes the region in order to work-around the lack of explicit region support in duplicity.
I ended up with the following command:
http_proxy= AWS_ACCESS_KEY_ID=<access_key> AWS_SECRET_ACCESS_KEY=<access_key_secret> PASSPHRASE=<password> duplicity --s3-use-new-style --s3-use-ia --s3-use-multiprocessing --no-print-statistics --verbosity 1 --exclude-device-files --exclude-filelist <exclude_file> --include-filelist <include_file> --exclude '**' / <remote_url>
where <exclude_file> is a file which contains the list of paths to keep
out of my backup:
/etc/.git
/home/francois/.cache
<include_file> is a file which contains the list of paths to include
in the backup:
/etc
/home/francois
/usr/local/bin
/usr/local/sbin
/var/log/apache2
/var/www
and <password> is a long random string (pwgen -s 64) used to encrypt the backups.
Backup script
Here are two other things I included in my backup script prior to the actual backup line listed in the previous section.
The first one deletes files related to failed backups:
http_proxy= AWS_ACCESS_KEY_ID=<access_key> AWS_SECRET_ACCESS_KEY=<access_key_secret> PASSPHRASE=<password> duplicity cleanup --verbosity 1 --force <remote_url>
and the second deletes old backups (older than 12 days in this example):
http_proxy= AWS_ACCESS_KEY_ID=<access_key> AWS_SECRET_ACCESS_KEY=<access_key_secret> PASSPHRASE=<password> duplicity remove-older-than 12D --verbosity 1 --force <remote_url>
Feel free to leave a comment if I forgot anything that might be useful!
I was recently hoping to replace an aging proprietary router (upgraded to a Gargoyle FOSS firmware). After rejecting a popular brand with a disturbing GPL violation habit, I settled on the Turris Omnia router, built on free software. Overall, I was pretty satisfied with the fact that it is free and comes with automatic updates, but I noticed a problem with the WiFi. Specifically, the 5 GHz access point was okay but the 2.4 GHz was awful.
False lead
I initially thought that the 2.4 GHz radio wasn't working, but then I realized that putting my phone next to the router would allow it to connect and exchange data at a slow-but-steady rate. If I moved the phone more than 3-4 meters away though, it would disconnect for lack of signal. To be frank, the wireless performance was much worse than my original router, even though the wired performance was, as expected, amazing:
I looked on the official support forums and found this intriguing thread about interference between USB3 and 2.4 GHz radios. This sounded a lot like what I was experiencing (working radio but terrible signal/interference) and so I decided to see if I could move the radios around inside the unit, as suggested by the poster.
After opening the case however, I noticed that radios were already laid out in the optimal way:
and that USB3 interference wasn't going to be the reason for my troubles.
Real problem
So I took a good look at the wiring and found that while the the larger radio (2.4 / 5 GHz dual-bander) was connected to all three antennas, the smaller radio (2.4 GHz only) was connected to only 2 of the 3 antennas:
To make it possible for antennas 1 and 3 to carry the signal from both radios, a duplexer got inserted between the radios and the antenna:
On one side is the 2.4 antenna port and on the other side is the 5 GHz port.
Looking at the wiring though, it became clear that my 2.4 GHz radio was connected to the 5 GHz ports of the two duplexers and the 5 GHz radio was connected to the 2.4 GHz ports of the duplexers. This makes sense considering that I had okay 5 GHz performance (with one of the three chains connected to the right filter) and abysimal 2.4 GHz performance (with none of the two chains connected to the right filter).
Solution
Swapping the antenna connectors around completely fixed the problem. With the 2.4 GHz radio connected to the 2.4 side of the duplexer and the dual-bander connected to the 5 GHz side, I was able to get the performance I would expect from such a high-quality router.
Interestingly enough, I found the solution to this problem the same weekend as I passed my advanced amateur radio license exam. I guess that was a good way to put the course material into practice!
Adding third-party embedded widgets on a website is a common but potentially dangerous practice. Thankfully, the web platform offers a few controls that can help mitigate the risks. While this post uses the example of an embedded SurveyMonkey survey, the principles can be used for all kinds of other widgets.
Note that this is by no means an endorsement of SurveyMonkey's proprietary service. If you are looking for a survey product, you should consider a free and open source alternative like LimeSurvey.
SurveyMonkey's snippet
In order to embed a survey on your website, the SurveyMonkey interface will tell you to install the following website collector script:
<script>(function(t,e,s,n){var
o,a,c;t.SMCX=t.SMCX||[],e.getElementById(n)||(o=e.getElementsByTagName(s),a=o[o.length-1],c=e.createElement(s),c.type="text/javascript",c.async=!0,c.id=n,c.src=["https:"===location.protocol?"https://":"http://","widget.surveymonkey.com/collect/website/js/tRaiETqnLgj758hTBazgd9NxKf_2BhnTfDFrN34n_2BjT1Kk0sqrObugJL8ZXdb_2BaREa.js"].join(""),a.parentNode.insertBefore(c,a))})(window,document,"script","smcx-sdk");</script><a
style="font: 12px Helvetica, sans-serif; color: #999; text-decoration:
none;" href=https://www.surveymonkey.com> Create your own user feedback
survey </a>
which can be rewritten in a more understandable form as:
(
function (s) {
var scripts, last_script, new_script;
window.SMCX = window.SMCX || [],
document.getElementById("smcx-sdk") ||
(
scripts = document.getElementsByTagName("script"),
last_script = scripts[scripts.length - 1],
new_script = document.createElement("script"),
new_script.type = "text/javascript",
new_script.async = true,
new_script.id = "smcx-sdk",
new_script.src =
[
"https:" === location.protocol ? "https://" : "http://",
"widget.surveymonkey.com/collect/website/js/tRaiETqnLgj758hTBazgd9NxKf_2BhnTfDFrN34n_2BjT1Kk0sqrObugJL8ZXdb_2BaREa.js"
].join(""),
last_script.parentNode.insertBefore(new_script, last_script)
)
}
)();
The fact that this adds a third-party script dependency to your website is problematic because it means that a security vulnerability in their infrastructure could lead to a complete compromise of your site, thanks to third-party scripts having full control over your website. Security issues aside though, this could also enable this third-party to violate your users' privacy expectations and extract any information displayed on your site for marketing purposes.
However, if you embed the snippet on a test page and inspect it with the developer tools, you will find that it actually creates an iframe:
<iframe
width="500"
height="500"
frameborder="0"
allowtransparency="true"
src="https://www.surveymonkey.com/r/D3KDY6R?embedded=1"
></iframe>
and you can use that directly on your site without having to load their script.
Mixed content anti-pattern
As an aside, the script snippet they propose makes use of a common front-end anti-pattern:
"https:"===location.protocol?"https://":"http://"
This is presumably meant to avoid inserting an HTTP script element into an HTTPS page, since that would be considered mixed content and get blocked by browsers, however this is entirely unnecessary. One should only ever use the HTTPS version of such scripts anyways since an HTTP page never prohibits embedding HTTPS content.
In other words, the above code snippet can be simplified to:
"https://"
Restricting iframes
Thanks to defenses which have been added to the web platform recently, there are a few things that can be done to constrain iframes.
Firstly, you can choose to hide your full page URL from SurveyMonkey using the referrer policy:
referrerpolicy="strict-origin"
This mean seem harmless, but page URLs sometimes include sensitive
information in the URL path or query string, for example, search terms that
a user might have typed. The strict-origin policy will limit the referrer
to your site's hostname, port and protocol.
Secondly, you can prevent the iframe from being able to access anything about its embedding page or to trigger popups and unwanted downloads using the sandbox attribute:
sandbox="allow-scripts allow-forms"
Ideally, the contents of this attribute would be empty so that all restrictions would be active, but SurveyMonkey is a JavaScript application and it of course needs to submit a form since that's the purpose of the widget.
Finally, a new experimental capability is making its way into browsers: feature policy. In the context of untrusted iframes, it enables developers to explicitly disable certain powerful features:
allow="accelerometer 'none';
ambient-light-sensor 'none';
camera 'none';
display-capture 'none';
document-domain 'none';
fullscreen 'none';
geolocation 'none';
gyroscope 'none';
magnetometer 'none';
microphone 'none';
midi 'none';
payment 'none';
usb 'none';
vibrate 'none';
vr 'none';
webauthn 'none'"
Putting it all together, we end up with the following HTML snippet:
<iframe
width="500"
height="500"
frameborder="0"
allowtransparency="true"
allow="accelerometer 'none'; ambient-light-sensor 'none';
camera 'none'; display-capture 'none';
document-domain 'none'; fullscreen 'none';
geolocation 'none'; gyroscope 'none'; magnetometer 'none';
microphone 'none'; midi 'none'; payment 'none'; usb 'none';
vibrate 'none'; vr 'none'; webauthn 'none'"
sandbox="allow-scripts allow-forms"
referrerpolicy="strict-origin"
src="https://www.surveymonkey.com/r/D3KDY6R?embedded=1"
></iframe>
Content Security Policy
Another advantage of using the iframe directly is that instead of loosening your site's Content Security Policy by adding all of the following:
script-src https://www.surveymonkey.comimg-src https://www.surveymonkey.comframe-src https://www.surveymonkey.com
you can limit the extra directives to just the frame controls:
frame-src https://www.surveymonkey.com
CSP Embedded Enforcement would be another nice mechanism to make use of, but looking at SurveyMonkey's CSP policy:
Content-Security-Policy:
default-src https: data: blob: 'unsafe-eval' 'unsafe-inline'
wss://*.hotjar.com 'self';
img-src https: http: data: blob: 'self';
script-src https: 'unsafe-eval' 'unsafe-inline' http://www.google-analytics.com http://ajax.googleapis.com
http://bat.bing.com http://static.hotjar.com http://www.googleadservices.com
'self';
style-src https: 'unsafe-inline' http://secure.surveymonkey.com 'self';
report-uri https://csp.surveymonkey.com/report?e=true&c=prod&a=responseweb
it allows the injection of arbitrary Flash files, inline scripts, evals and any other scripts hosted on an HTTPS URL, which means that it doesn't really provide any meaningful security benefits.
Embedded enforcement is thefore not a usable security control in this particular example until SurveyMonkey gets a stricter CSP policy.
Here's how I created a restricted but not ephemeral guest account on an Ubuntu 18.04 desktop computer that can be used without a password.
Create a user that can login without a password
First of all, I created a new user with a random password (using pwgen -s 64):
adduser guest
Then following these instructions, I created a new group and added the user to it:
addgroup nopasswdlogin
adduser guest nopasswdlogin
In order to let that user login using
GDM without a password, I added the
following to the top of /etc/pam.d/gdm-password:
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
Note that this user is unable to ssh into this machine since it's not part
of the sshuser group I have setup in my sshd
configuration.
Privacy settings
In order to reduce the amount of digital traces left between guest sessions, I logged into the account using a GNOME session and then opened gnome-control-center. I set the following in the privacy section:
Then I replaced Firefox with Brave in the sidebar, set it as the default browser in gnome-control-center:
and configured it to clear everything on exit:
Create a password-less system keyring
In order to suppress prompts to unlock gnome-keyring, I opened seahorse and deleted the default keyring.
Then I started Brave, which prompted me to create a new keyring so that it can save the contents of its password manager securely. I set an empty password on that new keyring, since I'm not going to be using it.
I also made sure to disable saving of passwords, payment methods and addresses in the browser too.
Restrict user account further
Finally, taking an idea from this similar
solution, I prevented the user from
making any system-wide changes by putting the following in
/etc/polkit-1/localauthority/50-local.d/10-guest-policy.pkla:
[guest-policy]
Identity=unix-user:guest
Action=*
ResultAny=no
ResultInactive=no
ResultActive=no
If you know of any other restrictions that could be added, please leave a comment!
Here is how I installed Debian 10 / buster on my GnuBee Personal Cloud 2, a free hardware device designed as a network file server / NAS.
Flashing the LibreCMC firmware with Debian support
Before we can install Debian, we need a firmware that includes all of the necessary tools.
On another machine, do the following:
- Download the latest
librecmc-ramips-mt7621-gb-pc1-squashfs-sysupgrade_*.bin. - Mount a vfat-formatted USB stick.
- Copy the file onto it and rename it to
gnubee.bin. - Unmount the USB stick
Then plug a network cable between your laptop and the black network port and plug the USB stick into the GnuBee before rebooting the GnuBee via ssh:
ssh 192.68.10.1
reboot
If you have a USB serial cable, you can use it to monitor the flashing process:
screen /dev/ttyUSB0 57600
otherwise keep an eye on the LEDs and wait until they are fully done flashing.
Getting ssh access to LibreCMC
Once the firmware has been updated, turn off the GnuBee manually using the power switch and turn it back on.
Now enable SSH access via the built-in LibreCMC firmware:
- Plug a network cable between your laptop and the black network port.
- Open web-based admin panel at http://192.168.10.1.
- Go to System | Administration.
- Set a root password.
- Disable ssh password auth and root password logins.
- Paste in your RSA ssh public key.
- Click Save & Apply.
- Go to Network | Firewall.
- Select "accept" for WAN Input.
- Click Save & Apply.
Finaly, go to Network | Interfaces and note the ipv4 address of the WAN port since that will be needed in the next step.
Installing Debian
The first step is to install Debian jessie on the GnuBee.
Connect the blue network port into your router/switch and ssh into the GnuBee using the IP address you noted earlier:
ssh root@192.168.1.xxx
and the root password you set in the previous section.
Then use fdisk /dev/sda to create the following partition layout on the
first drive:
Device Start End Sectors Size Type
/dev/sda1 2048 8390655 8388608 4G Linux swap
/dev/sda2 8390656 234441614 226050959 107.8G Linux filesystem
Note that I used an 120GB solid-state drive as the system drive in order to minimize noise levels.
Then format the swap partition:
mkswap /dev/sda1
and download the latest version of the jessie installer:
wget --no-check-certificate https://raw.githubusercontent.com/gnubee-git/GnuBee_Docs/master/GB-PCx/scripts/jessie_3.10.14/debian-jessie-install
(Yes, the --no-check-certificate is really unfortunate. Please leave a
comment if you find a way to work around it.)
The stock installer fails to bring up the correct networking configuration
on my network and so I have modified the
install script by changing
the eth0.1 blurb to:
auto eth0.1
iface eth0.1 inet static
address 192.168.10.1
netmask 255.255.255.0
Then you should be able to run the installer succesfully:
sh ./debian-jessie-install
and reboot:
reboot
Restore ssh access in Debian jessie
Once the GnuBee has finished booting, login using the serial console:
- username:
root - password:
GnuBee
and change the root password using passwd.
Look for the IPv4 address of eth0.2 in the output of the ip addr command
and then ssh into the GnuBee from your desktop computer:
ssh root@192.168.1.xxx # type password set above
mkdir .ssh
vim .ssh/authorized_keys # paste your ed25519 ssh pubkey
Finish the jessie installation
With this in place, you should be able to ssh into the GnuBee using your public key:
ssh root@192.168.1.172
and then finish the jessie installation:
wget --no-check-certificate https://raw.githubusercontent.com/gnubee-git/gnubee-git.github.io/master/debian/debian-modules-install
bash ./debian-modules-install
reboot
After rebooting, I made a few tweaks to make the system more pleasant to use:
update-alternatives --config editor # choose vim.basic
dpkg-reconfigure locales # enable the locale that your desktop is using
Upgrade to stretch and then buster
To upgrade to stretch, put this in /etc/apt/sources.list:
deb http://httpredir.debian.org/debian stretch main
deb http://httpredir.debian.org/debian stretch-updates main
deb http://security.debian.org/ stretch/updates main
Then upgrade the packages:
apt update
apt full-upgrade
apt autoremove
reboot
To upgrade to buster, put this in /etc/apt/sources.list:
deb http://httpredir.debian.org/debian buster main
deb http://httpredir.debian.org/debian buster-updates main
deb http://security.debian.org/debian-security buster/updates main
and upgrade the packages:
apt update
apt full-upgrade
apt autoremove
reboot
Next steps
At this point, my GnuBee is running the latest version of Debian stable, however there are two remaining issues to fix:
openssh-server doesn't work and I am forced to access the GnuBee via the serial interface.
The firmware is running an outdated version of the Linux kernel though this is being worked on by community members.
I hope to resolve these issues soon, and will update this blog post once I do, but you are more than welcome to leave a comment if you know of a solution I may have overlooked.
My VoIP provider recently added support for TLS/SRTP-based call encryption. Here's what I did to enable this feature on my Asterisk server.
First of all, I changed the registration line in /etc/asterisk/sip.conf to
use the "tls" scheme:
[general]
register => tls://mydid:mypassword@servername.voip.ms
then I enabled incoming TCP connections:
tcpenable=yes
and TLS:
tlsenable=yes
tlscapath=/etc/ssl/certs/
Finally, I changed my provider entry in the same file to:
[voipms]
type=friend
host=servername.voip.ms
secret=mypassword
username=mydid
context=from-voipms
allow=ulaw
allow=g729
insecure=port,invite
transport=tls
encryption=yes
(Note the last two lines.)
The dialplan didn't change and so I still have the following in
/etc/asterisk/extensions.conf:
[pstn-voipms]
exten => _1NXXNXXXXXX,1,Set(CALLERID(all)=Francois Marier <5551234567>)
exten => _1NXXNXXXXXX,n,Dial(SIP/voipms/${EXTEN})
exten => _1NXXNXXXXXX,n,Hangup()
exten => _NXXNXXXXXX,1,Set(CALLERID(all)=Francois Marier <5551234567>)
exten => _NXXNXXXXXX,n,Dial(SIP/voipms/1${EXTEN})
exten => _NXXNXXXXXX,n,Hangup()
exten => _011X.,1,Set(CALLERID(all)=Francois Marier <5551234567>)
exten => _011X.,n,Authenticate(1234) ; require password for international calls
exten => _011X.,n,Dial(SIP/voipms/${EXTEN})
exten => _011X.,n,Hangup(16)
Server certificate
The only thing I still need to fix is to make this error message go away in my logs:
asterisk[8691]: ERROR[8691]: tcptls.c:966 in __ssl_setup: TLS/SSL error loading cert file. <asterisk.pem>
It appears to be related to the fact that I didn't set tlscertfile in
/etc/asterisk/sip.conf and that it's using its default value of
asterisk.pem, a non-existent file.
Since my Asterisk server is only acting as a TLS client, and not a TLS server, there's probably no harm in not having a certificate. That said, it looks pretty easy to use a Let's Encrypt cert with Asterisk.