Check out the new projects site for A-i-S www.adventuresinsilicon.com

Thursday, February 3, 2011

How to set up SSH on the PandaBoard/BeagleBoard for external access

Background

Setting up an SSH server on your PandaBoard allows you to open up a terminal on any Internet connected computer as if it was opened locally on the PandaBoard.  From there you can execute commands as if you were physically connected to the PandaBoard.

This will allow you to open up a terminal on any computer on the Internet and be able to log into your Pandaboard/Beagleboard and copy a file from your network back to your local PC.

In this post we set up the PandaBoard to receive ssh connections from the Internet using the dyndns redirection service.

Assumptions 

It is assumed that you have a static IP for your PandaBoard (see here for more info http://adventuresinsilicon.blogspot.com/2011/02/pandaboard-setting-static-ip.html).

It is assumed you have an Internet connection to the PandaBoard.

Installation

Installing the SSH Server is a matter of installing:

sudo apt-get install ssh


Security

SSH allows remote connections. Installing an Internet connect SSH terminal does increase the chances of a security breach. It is possible for badguys to scan great swathes of the Internet searching for open connections or vulnerable ones.

There are several ways to secure your network whilst running an SSH server. We will do the following steps to secure our PandaBoard server from attack:



1.    Change the port from the default and make sure external root logins are not allowed

Using Ubuntu means we don't know the root login password anyway so we will disable it.

Edit the file /etc/ssh/sshd_config with:

If using a window manager:

sudo gedit /etc/ssh/sshd_config
If using the commandline:
sudo nano /etc/ssh/sshd_config

Then locate the line which says "Port 22" and change 22 to a new random port number. You will need to remember the port number every time you log in to the SSH Server.

Then locate the line which says "PermitRootLogin yes" and change 'yes' to 'no'


2.    Install 'Denyhosts' to monitor and drop repeated failed attempts to log in.
Denyhosts is a program which will monitor attempted connections and after a set number of failed attempts will ban that IP address from any more attempts. Install it with:

sudo apt-get install denyhosts

3.    Ensure strong passwords

If your password for your normal user is not very strong you should modify it to be stronger (longer, using punctuation marks, capitals and lowercase characters and preferably words which do not appear in a dictionary).  To change the password type the following at the prompt:

passwd

Replace with your username.  If you don't know it, type the following to find out:

whoami

4.    Security Updates

You should make a habit of regularly checking and updating the packages in your system (at least download the security updates). To do this from the command line, run:

sudo apt-get update
sudo apt-get upgrade


5.    Restart the SSH server

To apply the changes you have made type:

sudo service ssh restart

Summary so far:
Ok so now you should be able to log in from your local network.  If you have another Ubuntu computer on your local network, try the following command on the remote PC (not the PandaBoard):

ssh -p <--the port number you set> <--username-->@<--PandaBoard's IP Address-->


Replace the sections in brackets with the relevant information.


Logging in from the Internet


If you know the IP address your ISP allocated to you, then you could theoretically login to that IP address right now from anywhere on the Internet with SSH and access your PandaBoard.

There are two main issues with this, firstly your allocated IP address changes and secondly you probably have a firewall stopping direct connections.

It is likely that your Router/ADSL/Switch etc will block direct connections if you are on ADSL.

My preferred method is to sign up for a free account at www.dyndns.org. This will allocate a web address based on the username of your DynDNS account.

for example if you accout is "fred" then you could have the address fred.dyndns.org.  At the time of setting up the account that URL address will map to your ISP allocated IP address.

What I prefer to do is have my router automatically update the details of DynDNS account everytime my allocated IP address changes.  Most modern routers will have an advanced option to allow this.

On my router it was labelled "virtual server" and DynDNS.org accounts were accommodated. You can also run a client on your PC to update if your router can not do it automatically.



Once you have linked an URL to your account you can ssh in from any box on the Internet.  If your DynDNS accoutn was "fred" and you chose port number 3434 above when you changed it from 22, on a remote ubuntu box you would run the following command to login:


ssh -p 3434 fred@fred.dyndns.org


From there you can execute any command as if you were typing on a local keyboard.

If you want to allow X Windows applications to be started on the host and viewed on the client then add the switch "-X" to the command line eg:

ssh -X -p 3434 fred@fred.dyndns.org



If you have an Android SmartPhone try installing the ConnectBot app and logging in from your phone!



There are further steps you can take to secure the connection and there are some purpose built apps designed to run over SSH. If you use Ubuntu for the remote PC review this handy SSH related tip:
http://adventuresinsilicon.blogspot.com/2011/01/linux-tip-accessing-files-over-ssh.html


3 comments:

Hesham Elsaghir said...

Great article,
I followed it and worked fine. also, has a lot of explanation. thanks for taking the time to write it. I will read more of your blogs soon

Dingo_aus said...

You're welcome Hesham.

If you have any related topics you would like me to write on I'm happy to hear what they are.

Thanks for the positive feedback.

vipul said...
This comment has been removed by the author.