add ssh connectivity

[kapitainsky]

Very nice little tool - real clever.

Would it be very difficult to add ssh connectivity? So I could unlock drive over SSH?

[Jip-Hop]

Glad you like it. I think it would be possible to add SSH connectivity but I have no plans to do so. Why do you need it and what benefit would it have over HTTPS? You can also use curl to unlock the server if your goal is to unlock the server from the command line instead of via the browser.

[kapitainsky]

Thank you for quick answer.

I do use self-signed certs with self-signed CA browsers trust. Nowadays Safari and Chrome only trust certs (green padlock when self CA is trusted) if cert validity is less than 398 days. It means that every year I would have to reimage new PBA to keep it to my standard.

I do understand you don’t need SSH:(.

You cracked main problem how to create custom image - maybe I will have to have a look at details and try to add SSH.

On 27 Apr 2023, at 10:45 am, Jip-Hop @.***> wrote:

Glad you like it. I think it would be possible to add SSH connectivity but I have no plans to do so. Why do you need it and what benefit would it have over HTTPS? You can also use curl to unlock the server if your goal is to unlock the server from the command line instead of via the browser.

— Reply to this email directly, view it on GitHub https://github.com/Jip-Hop/sedunlocksrv-pba/issues/3#issuecomment-1525296805, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADXJHOSCW4HCUZUIXLBN5ITXDI53VANCNFSM6AAAAAAXNO4ESU. You are receiving this because you authored the thread.

[Jip-Hop]

I see. I think I explicitly trusted my self signed certificate (not the CA) and had no issues with the 10 years validity. I'm using Firefox and on iOS Safari. But I rarely need to unlock the server so I may be mistaken, it has been a while.

Keep in mind that if you go with SSH you need to re-flash in case you want to change the ssh user pasword, or if you use key based authentication you'd need to re-flash each time you want to add/remove a key (to allow a device to connect without password).

Good luck :)

[Jip-Hop]

Feel free to post here if you have a solution for unlocking with SSH. Could be helpful for others looking for the same thing.

[kapitainsky]

If it happens one day I will do PR.

I think way to go is dropbear - already started thinking about it:)

[kapitainsky]

One more question re pba.img - as I understand it is bootable system. For testing I tried to spin in in VMware but it does not start. How did you do testing? Does it require flashing SED drive?

[Jip-Hop]

I think I flashed it to a USB drive each time I wanted to test it and inserted it into a spare PC with a SED inside. That way I could test on actual hardware without having to go through the whole SED PBA flash procedure.

[kapitainsky]

thx. So this image should boot... hmmm. For ssh testing initially I do not need SED drive at all and ideally would test in VM

[kapitainsky]

Ok first I have to make your image to work. There is small issue:

https://github.com/Jip-Hop/sedunlocksrv-pba/blob/807b13b7c805f734f57ba8c1630d41da4e5654d5/build.sh#L133

wget http://security.ubuntu.com/ubuntu/pool/main/g/grub2-unsigned/grub-efi-amd64-bin_2.04-1ubuntu44.2_amd64.deb -O /tmp/grub-efi-amd64-bin.deb
--2023-04-27 12:53:58--  http://security.ubuntu.com/ubuntu/pool/main/g/grub2-unsigned/grub-efi-amd64-bin_2.04-1ubuntu44.2_amd64.deb
Resolving security.ubuntu.com (security.ubuntu.com)... 185.125.190.39, 185.125.190.36, 91.189.91.39, ...
Connecting to security.ubuntu.com (security.ubuntu.com)|185.125.190.39|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-04-27 12:53:59 ERROR 404: Not Found.

does not exist.

This is probably why result image is corrupted.

[Jip-Hop]

I think you are right. I have updated the build script. Could you try again?

[kapitainsky]

Thx. One step forward.

I can build the image but can not boot from it.

I build on Ubuntu 20.04 LTS

I noticed that I have to run boot.sh as root. Is it correct? Otherwise I have flood of errors.

[kapitainsky]

On quick inspection it looks ok. But does not boot

sudo fdisk -l sedunlocksrv-pba.img 
Disk sedunlocksrv-pba.img: 38 MiB, 39845888 bytes, 77824 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xdd88aa80

Device                Boot Start   End Sectors Size Id Type
sedunlocksrv-pba.img1       2048 77823   75776  37M  a OS/2 Boot Manager

[Jip-Hop]

Have you flashed it to the PBA of your SED (or tried to boot from a USB drive)? This is to rule out there's something wrong with the image itself, as the issue may be within VMware.

[kapitainsky]

step by step - so first make boot from USB success.

Tried VMware, Proxmos and some old laptop

[kapitainsky]

On quick inspection it looks ok. But does not boot

sudo fdisk -l sedunlocksrv-pba.img 
Disk sedunlocksrv-pba.img: 38 MiB, 39845888 bytes, 77824 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xdd88aa80

Device                Boot Start   End Sectors Size Id Type
sedunlocksrv-pba.img1       2048 77823   75776  37M  a OS/2 Boot Manager

Shouldn't Boot be shown as * ??

[Jip-Hop]

I just confirmed a fresh build of the image works (built with Docker) inside VirtualBox.

Had to run these commands to make the image compatible with VirtualBox: VBoxManage convertfromraw --format VDI sedunlocksrv-pba.img sedunlocksrv-pba.vdi

[kapitainsky]

Ok trying VBox now

[kapitainsky]

progress

Thank you very much for your help. Now I can try to attack ssh part:)

[kapitainsky]

BTW tiny linux released v14 - might be worth to bump it too

[Jip-Hop]

Nice :) Looks like you already modified some stuff (I don't get the "can't open file" errors). Good luck with SSH!

Feel free to bump to a new version of tiny core linux. Currently I don't have spare hardware available to develop and test a new release of sedunlocksrv-pba. Besides, the current version is working flawlessly for me :D

[kapitainsky]

Your stuff works perfectly - now I am going to change it:)

[kapitainsky]

ok I can now ssh to tiny core when your webserver is running. Effectively having alternative way to proceed with drives unlocking

However there is no way to ssh as root (looks like they do not like it and patched even openssh). So it will be tc user.

Now I am thinking about bash script to manage unlocking - no changing passwords or anything too funky. It will be bear metal unlock - reboot.

My question - if there are multiple SED drives is it possible to get their names? In case they have different passwords. Othewise no idea what I am typing password for.

[kapitainsky]

And sorry for using this closed issue as a conversation thread. But seems it is the easiest:)

[kapitainsky]

I need your advice - I am staring at opal-functions.sh but can't see how to approach it

High level my idea is - ssh will be limited to one command (script) asking user for password

if correct -> reboot if not -> ask again

but how to handle multiple disks with different passwords hmmmm... it would be nice if script goes like this:

Unlock Samsung Serial number ABC -> try the same passwords for other disks - if ok reboot. If not ask to unlock Micron Serial Number XYZ - until the end then reboot

What do you think?

[Jip-Hop]

Nice progress. My server doesn't let you specifiy for which disk you're providing the password. So I don't think there's a need to do so via SSH. Just apply the password to all disks.

I think the bash script you start from SSH needs 2 options: password entry and reboot.

It could even be 1 option (text prompt). Type the password to unlock or if you type "reboot" to reboot. But in that case you can't unlock a drive which has "reboot" as password.

[kapitainsky]

yeap - for funky stuff there is your https server. ssh is for lazy people with simple needs. I will polish it now and PR

[kapitainsky]

prompt for password -> if not unlocked prompt again -> if unlocked "happy day" message "press enter to reboot"

[Jip-Hop]

Sounds good. But please make it in such a way that it is optional. I prefer not to start an SSH server I'm not using.

[kapitainsky]

kk

I want to keep it simple - so build.sh for web only and and build_ssh.sh for ssh only. If somebody wants both can customize - I will leave https stuff commented in build_ssh

[Jip-Hop]

I appreciate your efforts but if you want to merge your ssh contribution I'd prefer it to be integrated (disabled by default) into the build script. I wouldn't be happy with 2 build scripts with mostly duplicate code (meaning 2 places to bump the tiny core linux version etc.). I hope you understand.

[kapitainsky]

ok - I prefer to keep everything where it started. so will adapt to your preferences. PR will follow for review in few days (I did only proof of concept for now). We can always change it so all is cool