OpenSSH, Google Authenticator, PuTTY, Xming X, Ubuntu Lightdm (disable), and Grub text mode

Just notes to self for setting-up OpenSSH on Ubuntu and Raspberry Pi. Will add to over time.

https://help.ubuntu.com/lts/serverguide/openssh-server.html

First of all I installed OpenSSH server:

sudo apt-get install openssh-server

Normally in Windows I use Putty (portable putty alternative … for Xming X Server). Depending on name resolution available to me which is limited at the moment on my network/sub-networks, I might use hostname resolution on my main router for devices leasing via DHCP, or, and especially for use over my Raspberry Pi VPN, I’ll use the DHCP leased IP address (ARP-bind to MAC address). Eventually I’ll have to set-up a local DNS server but was holding-out until I could afford a Windows Server. Might look at using Dnsmasq – maybe forwarding DNS requests to it over the VPN on the Pi as well. But for now I’m stuck with IP addressess. (I’m assuming the VPN on PFsense is set-up to forward DNS).

I use keys occasionally, but as I tend to mix-up hardware/OS etc. for experiment/production on limited home resources and in limited time, it’s hard to manage everything so I prefer just using the two-factor approach meaning I can have a couple of phones (themselves protected) set-up with Authenticator Plus, and my Pebble watch with something similar, with those keys backed-up elsewhere. A little bit more inconvenient on a daily basis, but peace of mind knowing if I forget about some VM or device, left unencrypted in some experimental state or just made obsolete without decommissioning for some reason, it won’t necessarily reveal all of my authentication secrets.

Good tutorial though not 100% for me as I don’t want to use keys (mostly): https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

install libpam-google-authentiator
google-authenticator

Important Run “google-authenticator” in the normal log-in account it’s to be used for! As soon as it starts, it deletes the old config/secret-key: ~/.google-authenticator so only run it if absolutely necessary!

Then I usually use the hardened options in reply to set-up questions from the helper-app.

Using passwords e.g. Google-Authenticator and normal password over SSH does restrict some of the things that can themselves establish a SSH tunnel e.g. Nautilus. nb for x11 apps through the tunnel, I’ve struggled with Nautilus and tend to use PCManFM. Anyway, TODO, look at using separate accounts so I can use two factor, but some devices unlikely to ever be abandoned can use keys just for things like Nautilus. (Or, actually, just make keys an option – I should review the Digital Ocean tutorial).

I still need to configure OpenSSH, and to help me I’m going to look at what I’ve already done on another machine as I’ve misplaced my notes (driving me crazy – wasted half a day searching for them: not where they’re meant to be). This other machine is a compute stick – with Ubuntu 16.04 LTS desktop rather than server because of initial UEFI issues then confusion with batteries and power issues … but the Display Manager is disabled at boot … but also Grub is set to Text mode (rather than nomodeset) to avoid another display driver problem on the compute stick that masquerades like a disk issue … long story I hope to post about sometime. The compute stick also requires a CPU c-state idle setting to avoid another bug.

x64 BayTrail UEFI computer with 2GB Ram running Ubuntu 16.04 LTS, 3 USB hubs including 2 network interfaces, a Pi zero, an 868MHz AES 128 encrypted RF transparent serial USB transceiver with decent range, a 5-port 1Gbit switch (using a DC-DC step-up module for 9V), all going through a 5V powerbank with UPS properties. Total idle-ish power for the lot: 5.4W.

Without my notes I’m not sure what I did to disable lightdm on boot. Found this on askubuntu.com:

sudo systemctl set-default multi-user.target

I’m sure I only needed to do: sudo lightdm start to start-up lightdm on demand. But the accepted answer for this on askubuntu.com seems to be sudo systemctl start lightdm.service so I’m a bit confused. I might have done things in a different (maybe incorrect) way.

To restore boot to GUI:

sudo systemctl set-default graphical.target

And what I did have to do is not only remove splash (I also removed quiet as I want to see what’s going on!), but also put text, in grub:

sudo nano /etc/default/grub</code>
GRUB_CMDLINE_LINUX_DEFAULT="intel_idle.max_cstate=1 text"
... <code>sudo update-grub

No display manager is running at all on Ubuntu on the Compute Stick. I’ve already installed Xming on Windows:


Now I can do something like (having installed pcmanfm – and don’t seem to need to use gksu with it etc. for root … and I need root for when I want to edit ssh files):

Also makes it easier for me (being a Windows guy) to take screenshots and document:

sudo service ssh restart

In sshd_config I change ChallengeResponseAuthentication to ‘yes’, and it looks like I added “X11UseLocalhost yes” and “xAuthLocation /usr/bin/x11/xauth” too. I don’t know why. Obviously related to x11 stuff over ssh probably. x11 is just a symlink back to /usr/bin … some legacy compatibility thing, and I thought xauth was a binary to generate .xauthority files. Don’t know if I put it there or not, maybe following some tutorial or maybe I thought it necessary to get ’round some OpenSSH issue with windows. Grrr … I hate losing notes! Don’t think I need it, but don’t want to break anything accidentally and find-out next year.

e.g. gnome-disks (over x11).
sudo mv /usr/bin/nautilus /usr/bin/nautilus.bak
sudo ln -s /usr/bin/pcmanfm /usr/bin/nautilus
I tried changing the default file manager as Nautilus brings the whole desktop with it over x11 and crashes my Xming, but not sure what to do yet to make the mount links in gnome-disks work again after I do that.
sudo gnome-system-monitor is another handy resource that works over x11. This is the Compute Stick. If I could get Ubuntu Server working on it, or a more minimal install of the desktop version – or just start disabling services I don’t need, then I bet I could get that resource use even lower, leaving more room for Docker containers.
Synergy (sharing mouse/keyboard), OpenSSH, PuTTY and Xming all work together nicely – e.g. handy full screen terminal window on the tablet.
No need to open-up port 3306 (or alternative) to use mysql-workbench … I can leave users set to localhost only etc.

That’s it.I do this on all my linux boxes incl. Raspbian Raspberry Pi’s, but for the most part restrict ssh access to local networks (and VPN). I might use 3-factor eventually for ports exposed on the internet.