the itjerk

my adventures with technology

Tag Archives: ssh

putty and ssh keys

If you have a Windows computer, no doubt you’re using putty for your ssh needs. In order to use keys to sign into remote hosts, you’ll need to run puTTYgen program, generate a new pair of keys, save the private key and then copy/paste the public key to your remote host, and add the entirety to the remote authorized_hosts file. After you generate your keys, load your saved session and go to SSH>Auth and load the private key. Be sure to change permissions on the directory you store them in on your Windows computer!

On the web:
Putty

squeezeslave and the raspberry pi

Ever want to listen to your digital music collection at home while you were at work? Specifically, the idea here is to connect to my Logitech Media Server (aka Slimserver or Squeezebox Server, and LMS for short) that's at home, with my Raspberry Pi (RPi for short) at work. (I'm going to assume that you know the drill about opening ports on computers and routers, your work's tech security policies, and all that jazz). Technically, it's relatively simple – make an ssh connection to the LMS, forward a few ports to the RPi, and then launch the player! Of course, this could all be done using just about any media player on just about any computer, and a web interface – that's the beauty of the LMS. But this is about the RPi, and I'd like to keep this as basic as possible – without even using a gui for playlists.

Squeezeslave is a great little program that emulates a Squeezebox player, providing both a SLIMP3 type interface and the capability to stream music. It's truly turns the RPi into a virtual machine. The program is an already compiled binary for ARM6 (the chip that the Rasberry Pi uses), which saves a lot of work. But be sure to get the "hard float" version for Raspbian Wheezy.

Installation is simple, this taken from Paul Webster's more than informative blog:

wget http://squeezeslave.googlecode.com/files/squeezeslave-1.2-367-armhf-lnx31.tar.gz
tar -xvf squeezeslave-1.2-367-armhf-lnx31.tar.gz
mv squeezeslave-1.2-367 squeezeslave

Before we run Squeezeslave, we have to connect to the LMS server at home. This is done via ssh and port-forwarding. I've configured my home router (and LMS computer) to accept connections on ports 22, 3483, and 9000, the latter two which Squeezeslave uses to connect to the LMS. I've also setup keys (using ssh-keygen) between the LMS and RPi so that a password isn't required to login. Finally, I also know the LMS's WAN and LAN addresses (using DynDNS for the former).

First, we connect to the LMS using the ssh command. The -L switch can be repeated, which is great because we need both ports 3483 and 9000 forwarded for Squeezeslave to work. The -N switch prevents remote commands, since we are just using ssh for port forwarding. Finally, by ending with &, we stay in the local terminal, and can immediately issue our next command. Note that all addresses are for your LMS computer.

ssh -L <3483>:<lan address>:<3483> -L <9000>:<lan address>:<9000> -N <username>@<wan address> &

Running Squeezeslave is simple: all we do is enter the IP of the localhost for the LMS, and give it the -D switch to open its display.

./squeezeslave 127.0.0.1 -D -R

What a cool interface!

Here are the key options for the display:

Now, if I point a browser to my home computer and bring up the LMS web interface, I'll find a player called "Squeezeslave". One performance note, I did need to edit Server Settings in LMS for the Squeezeslave to change Bitrate Limiting to something from "unlimited" to get smooth playback over the internet. That said, sound was excellent, making the Raspberry Pi one inexpensive SqueezeBox player!

Extending this little exercise, both commands could be scripted to run automatically at boot, making this a completely auto-on operation. And because of Squeezeslave's simple interface, I'm sure the RPi could be hooked up to a cool little LCD display instead of a monitor, add a remote…

Isn't computing fun?!

On the web:
Squeezeslave
Sourceforge
Installing Squeezeslave

raspberry pi and the squeezebox server

Here's something that's really easy to setup – streaming music from your Slimserver/Squeezebox Server/Logitech Media Server to your Raspberry Pi. Not a lot of assumptions here; my Squeezebox Server is at home, and I'm at work; I've opened the necessary ports at on my home computer and router (22 tcp, 9000 tcp, 3483 tcp/udp), and I know it's WAN and LAN addresses. I'm also going to assume that you know the drill about opening ports on computers, your work's security policies and all that jazz.

Please note that all this can be done using your remote computer's host name; just open a stream to yourhomecomputer.com:9000/stream.mp3 in just about any media player, play it, then open a browser to yourhomecomputer.com:9000, select the remote player, queue up some music and press play! All this assumes that your Squeezebox Server is set to use port 9000.

But for security's sake, I'm going to use ssh port forwarding to send all the traffic through a tunnel. This not only secures the stream by using ssh, but allows you to load the stream and view the web interface using the localhost interface on your RPi.

Okay, first setup a port forward from your Squeezebox Server at home on your RPi using the terminal. Note that all addresses are for your Squeezebox Server computer.

ssh -L <local port>:<lan address>:<lan port> <username>@<wan address>

Next, just add the music stream to mpc and play it:

mpc add http://localhost:9000/stream.mp3
mpc play

Now, point your browser to http://localhost:9000 (or whatever local port you are forwarding to), select the appropriate player (mpd on your RPi), queue up some music, and viola, you can enjoy all the music from your Slimserver/Squeezebox Server/Logitech Media Server wherever your Raspberry Pi is connected!

raspberry pi, part two

After nearly five months on order, I got another Raspberry Pi model B last week, this one upgraded to 512mb RAM. Its running the October 28th release of Raspbian "Wheezy", and for some reason, only Ubuntu's Image Writer would get it working properly on my 8GB SDHC card. The Pi's performance is much snappier than the previous one reviewed, due to the extra memory and four months of work on the Debian-based OS.

*** FYI: Remember, that SD card is your hard drive, and by most estimations, not the most reliable format in the world. Keep it backed-up, have a spare or two around, SD cards are inexpensive! And please be sure to shutdown the RPi correctly using "sudo halt" or similar. This will help keep that SD card uncorrupted. ***

New this time is the raspi-config command that ran on first boot. Among the several options available is the ability to overclock, which I eagerly set to high. The good folks at Raspberry Pi claim it will not void the warranty. Even though web browsing is sluggish, the performance of this board seems good enough now for desktop use. Beware, however, some seem to believe that this leads to SD card corruption!

BTW, total cost of ownership: Raspberry Pi $43.02 for the board delivered, plus SD card, video adapter, power stuff, etc comes to $65; plus I'm using an old Apple keyboard & mouse, ethernet, and a spare monitor.

Right off the bat, I had to edit /etc/default/keyboard and edit the keyboard language from "gb" to "us" to get the @ sign to type right. You can also do this with raspbi-config, and be sure to run "sudo setupcon" right away to avoid delays in rebooting. After a perfunctory update && upgrade, I added the tsocks package which allows me to use a SOCKS connection with the Midori browser.

Open /etc/tsocks.conf, comment out all lines except:

server = 127.0.0.1
server_type = 5
server_port = 1080

Then open a ssh connection to your the computer you want to tunnel through, using the same port above:

ssh -D localhost:1080 tunnelcomputer.com

Finally, open the browser, using the tsocks argument first (you can do this with most any program!)

tsocks midori

Viola! Go to whatismyip.com and verify yor SOCKS connection. But remember, DNS request don't go through SOCKS in the Midori browser. (IceWeasel, the Debian version of Firefox, can).

Next, I installed mpc and mpd software, which allow playing audio streams over the internet.

sudo apt-get install mpd mpc

If you man mpc, you can get a list of commands available, but here's how to add an internet stream and play it. Note that when you start/restart the RPi, your stream will immediately start! I'm playing the Shoutcast address for prog station Stellar-Attraction.

sudo mpc add http://stellar-attraction.net:8000/
mpc play

You can also load a folder by cd'ing to it, and then telling mpc to queue it up:

mpc ls | mpc add
mpc play

Pretty slick. Loads of commands, like shuffle, current, clear, etc. More about MPC and MPD here.

Other things to install for music are:

sudo apt-get install moc libflac-dev

Next, let's see if I can stream my Squeezebox Server from home (have to open ports on the router first)!

dynamic port forwarding with ssh

Need to surf securely at work, or on a public wifi? Here's the poor man's vpn. Using an OpenSSH connection to your host machine with the dynamic "-D" flag, you can create a SOCKS proxy for a web browser on another machine. On a Windows machine, you'll need to use Putty to get your ssh connection.
Here's the connection:

ssh -D port user@hostmachine

Once you connect via ssh to your host, configure Firefox to use the SOCKS proxy server. (Options>Advanced>Network>Connections)

For even more security, you can also configure Firefox to route all its DNS requests through the same tunnel. From Firefox's address bar, type "about:config" for "advanced" settings, then look for the key "network.proxy.socks_remote_dns" and set it to true by double-clicking. Done! All your surfing will tunnel through your host machine.

To verify that everything's working, point Firefox here to verify the IP address matches that of the host machine.

ssh-keygen

There's a couple of reasons to use keys for ssh connectivity, but not entering a password has to be at the top of the list.

[EDIT: This first part was written for MAC OS X].
First, create a key pair with dsa encryption on your local machine: BTW, I didn't enter a passphrase because I don't want to enter one later when I connect. Make sure you have a secure console if you skip this option.

one:~ one$ ssh-keygen -t dsa
one:~ one$ ls .ssh
id_dsa      id_dsa.pub	        known_hosts

Copy the public key to the remote server you wish to connect to:

one:~ one$ scp .ssh/id_dsa.pub user@two:~
Password:
id_dsa.pub                                    100%  635     0.6KB/s   00:00  

ssh to the remote server, and move the key to the right place and fix permissions so only the user you logged in as can use it:

one:~ one$ ssh user@two
Password:
two:~ user$ mv id_dsa.pub .ssh/authorized_keys
two:~ user$ chmod 600 .ssh/authorized_keys 

if you have more than one key, then you need to cat them onto authorized_keys:

cat new_key.pub >> .ssh/authorized_keys

Now log in to the remote server and you won't be prompted for a password! It may also be a good idea to regenerate the keys after a period of time, especially if you don't use a passphrase.

[EDIT: This was revised for Ubuntu/Raspian] Create a key pair with rsa encryption on your local machine (this is the machine you will login FROM, e.g. one): BTW, I didn't enter a passphrase because I don't want to enter one later when I connect. Make sure you have a secure console if you skip this option.

one:~ one$ ssh-keygen -t rsa
one:~ one$ ls .ssh
id_rsa      id_rsa.pub	        known_hosts
one:~ one$ ssh-add
Identity added: /home/one/.ssh/id_rsa (/home/one/.ssh/id_rsa)

Copy the public key to the remote server you wish to connect TO, e.g. two:

one:~ one$ scp .ssh/id_rsa.pub user@machine_two:~
Password:
id_rsa.pub                                    100%  635     0.6KB/s   00:00  

ssh to the remote server, cat the key to the right location, and fix permissions so only the user you logged in as can use it:

one:~ one$ ssh user@machine_two
Password:
machine_two:~ user$ cat id_rsa.pub >> .ssh/authorized_keys
machine_two:~ user$ chmod 600 .ssh/authorized_keys
machine_two:~ user$ rm .id_rsa.pub

If you're using an encrypted home folder (as you very well should), you'll need a couple of extra steps to get everything to work.

First, create a folder /etc/ssh/<user name>, chown it to <user name> and give it 755 permissions. Next, copy the authorized_keys file to it, ensure <user name> owns it and give it 644 permissions. Then, add this line in your /etc/ssh/sshd_config file:

AuthorizedKeysFile /etc/ssh/%u/authorized_keys

Restart the ssh service and you should be good to go. Note that you will need to mount your encrypted home folder once you ssh in (ecryptfs-mount-private).