As I announced, I got a Raspberry Pi 2 Model B and although I did not get much time to play yet with it, it was just an excuse to get back to programming and a little computer science fun.
Anyway, I’ve installed Raspbian on it and did a few configurations which I think are worthy to share with others. I’m not going to describe a step-by-step to install a Linux distribution on your Pi, I recommend trying NOOBS and check the good documentation from the Raspberry Pi Foundation. With this setup you can choose during the installation process which Linux distribution to install.
That’s what I did as a warm-up and a quick way to get an up-and-running Pi.
Note that the Raspberry Pi 2 has a new CPU (ARMv7) which is not yet fully exploited by most distribution targeted at the Raspberry Pi ecosystem (with the exception of the Linux kernel). There is one exception: Snappy Ubuntu Core but it is yet alpha. However it should be possible to install most standard Linux distribution that are supporting ARMv7 instructions set, however this is an interesting exercise which I did not perform (yet).
Anyway, using the NOOBS installation or any of the images provided for SD Card has several implication in terms of security. Here is what I recommend to do after the first boot.
Changing password and locking root
If you use the Raspbian installation, then you have one user account `pi’. If you haven’t changed the password for this user during installation, then better do it now. Once connected as `pi’ do:
$ passwd
And enter and then confirm the password you want to use.
With Raspbian, the `pi’ user has administrator’s rights. You can call sudo to perform system changes. If you are comfortable with that, then simply lock the root account:
$ sudo passwd -dl root
Or if you simply want to give a password of your own and use root:
$ sudo passwd root
Getting some Entropy
I am preparing a more detail article on this topic, so for now I am only going to give some background and the commands to increase the sources of entropy. Entropy is important, you need sufficient entropy (which your Linux kernel can gather for you) to be able to generate good pseudo-random numbers. Those numbers are used by many cryptographic services, such as generating SSH keys or SSL/TLS certificates.
The problem with embedded devices such as the Raspberry Pi (especially if you run it headless like I do) is that there aren’t many sources of entropy available to the kernel, especially at boot time.
The Raspberry Pi has an integrated hardware random number generator (HW RNG) which Linux can use to feed its entropy pool. The implication of using such HW RNG is debatable and I will discuss it in the coming article. But here is how to activate it.
First of all, load the kernel module (aka driver) for the HW RNG (the Raspberry Pi 2 can use the same kernel module as the Raspberry Pi 1 models). The Linux way of doing it is via modprobe:
$ sudo modprobe bcm2708-rng
If it worked a new device should be now available /dev/hwrng
and the following should be visible in the system messages:
$ dmesg | tail -1 [ 133.787336] bcm2708_rng_init=bbafe000
To make the change permanent, on any Linux system you simply load the module in the /etc/modules file by adding a new line with bcm2708_rng (see next command). Or you can use the Raspberry Pi firmware Device Tree (DT) overlays (see below).
$ sudo bash -c 'echo bcm2708_rng >> /etc/modules'
Now install the rng-tools (the service should be automatically activated and started, default configuration is fine, but you can tweak/amend it in /etc/default/rng-tools
)
$ sudo apt-get install rng-tools
After awhile you can check the level of entropy in your pool and some stats on the rng-tools service:
$ echo $(cat /proc/sys/kernel/random/entropy_avail)/$(cat /proc/sys/kernel/random/poolsize) 1925/4096 $ sudo pkill -USR1 rngd; tail -15 /var/log/syslog rngd[7231]: stats: bits received from HRNG source: 100064 rngd[7231]: stats: bits sent to kernel pool: 40512 rngd[7231]: stats: entropy added to kernel pool: 40512 rngd[7231]: stats: FIPS 140-2 successes: 5 rngd[7231]: stats: FIPS 140-2 failures: 0 rngd[7231]: stats: FIPS 140-2(2001-10-10) Monobit: 0 rngd[7231]: stats: FIPS 140-2(2001-10-10) Poker: 0 rngd[7231]: stats: FIPS 140-2(2001-10-10) Runs: 0 rngd[7231]: stats: FIPS 140-2(2001-10-10) Long run: 0 rngd[7231]: stats: FIPS 140-2(2001-10-10) Continuous run: 0 rngd[7231]: stats: HRNG source speed: (min=824.382; avg=1022.108; max=1126.435)Kibits/s rngd[7231]: stats: FIPS tests speed: (min=6.459; avg=8.161; max=9.872)Mibits/s rngd[7231]: stats: Lowest ready-buffers level: 2 rngd[7231]: stats: Entropy starvations: 0 rngd[7231]: stats: Time spent starving for entropy: (min=0; avg=0.000; max=0)us
Securing SSH – the basic
I run my Pi headless for the moment. So after the first boot, I went into the advanced configuration of the raspi-config and activated SSH daemon. I’m not here going to describe how to properly secure the SSHd daemon, which can be a topic for a future article. I’m only going to focus on one topic which is SSH host keys.
SSH host keys are the means for a user connecting to a remote server to verify the authenticity of the server. That the sort of message you see the first time you connect to an SSH server:
$ ssh pi@raspberrypi The authenticity of host 'raspberrypi (192.168.1.52)' can't be established. ECDSA key fingerprint is 42:3d:4f:b7:0b:4b:62:11:47:28:cc:86:76:0c:ac:24. Are you sure you want to continue connecting (yes/no)?
If an attacker tries to spoof your SSH server, on connection you will get this message:
$ ssh pi@raspberrypi @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is 42:3d:4f:b7:0b:4b:62:11:47:28:cc:86:76:0c:ac:24. Please contact your system administrator. Add correct host key in /home/pithagore/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/pithagore/.ssh/known_hosts:3 remove with: ssh-keygen -f "/home/pithagore/.ssh/known_hosts" -R raspberrypi ECDSA host key for raspberrypi has changed and you have requested strict checking. Host key verification failed.
So this is all good, but the problem with these host keys is that you cannot really trust the one installed by default. They could be the same as the one from the image you downloaded and flashed on your SD Card, and so would be similar to all other persons installing the same image. Another problem is that they could have been generated at a point in the installation where not enough entropy was gathered by the kernel to be able to provide non-predictable random numbers. Therefore someone could use this to generate new host keys that would match the one on your Raspberry Pi.
Now that in the earlier chapter we added good source to feed the entropy pool, we can regenerate better host keys. First get rid off the previous ones:
$ sudo rm /etc/ssh/ssh_host_*key{,.pub}
Then generate new ones with one of the 3 possibilities:
- Automatic configuration using dpkg
$ sudo dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... Restarting OpenBSD Secure Shell server: sshd.
- Automatic configuration using ssh-keygen
$ sudo ssh-keygen -A $ sudo service ssh restart
- Manual configuration
$ sudo ssh-keygen -t rsa -b 4096 -N "" -f /etc/ssh/ssh_host_rsa_key $ sudo ssh-keygen -t ecdsa -b 521 -N "" -f /etc/ssh/ssh_host_ecdsa_key $ sudo service ssh restart
Now if you want to print the fingerprint of any of your host keys to make sure of the authenticity of the server you are connecting to (should only be needed the first time your client connects to your server):
$ ssh-keygen -l -f