Implement SSH access for field-deployed bee tracker boxes

SheffieldMLtracking / BBSRC_ohio

This is a placeholder repository for the BBSRC project; to allow us to assign tasks.

GNU General Public License v3.0

0 stars 0 forks source link

Implement SSH access for field-deployed bee tracker boxes #16

Open Joe-Heffer-Shef opened 2 months ago

Joe-Heffer-Shef commented 2 months ago

We need a way to remotely access the OS of bee trackers that are deployed in the field in Ohio.

The options appear to be:

Use the Ohio SSH gateway
Reverse SSH tunnel via a TUOS VM
Connect to UoS VPN (auto-connect using SSL cert?)
Peer-to-peer virtual/software VPN such as ZeroTier

Reverse SSH tunnel access

Mike 29th March 2024

I was thinking of setting up a reverse ssh tunnel to a server online -- then you and I can ssh in remotely to configure etc the boxes (might be particularly useful once they're on the roof of the greenhouse). Maybe something that retries making the ssh connection if it's lost, so we can maintain access and reboot etc.

To-do list for SSH tunnel:

[ ] Does this approach raise security problems? Unencrypted SSH key sitting on the Pi SSD card.
[ ] Set up a TUOS VM with SSH server
[ ] Make the bee tracker Pi OS automatically maintain a reverse SSH tunnel to that TUOS VM
[ ] Implement authentication to control access permissions

Ohio SSH gateway access

The IT person David Pick as OSU seemed to think that would be ok -- or he also said it would probably be better in the long run for us to be given a guest account so we can ssh into the 'gateway' ssh servers that then give access to the internal network.

To-do list for Ohio gateway access

[ ] ??? Talk to David Pick at OSU

lionfish0 commented 1 month ago

Instructions for update to pi...

add this line to /etc/rc.local /home/pi/bee_track/startupssh

run: sudo apt install autossh

create file: /home/pi/bee_track/startupssh, containing: sleep 30 autossh -f -R 5003:localhost:22 ohio@54.237.238.250 -i/home/pi/.ssh/ohio2.pem -N

chmod 755 /home/pi/bee_track/startupssh

(change port from 5003).

check .ssh folder exists

add ohio2.pem

run as root@raspberrypi:/etc# ssh -R 5003:localhost:22 ohio@54.237.238.250 -i/home/pi/.ssh/ohio2.pem

it will ask... The authenticity of host '54.237.238.250 (54.237.238.250)' can't be established. ECDSA key fingerprint is SHA256:kJl6prN6B0vkldUmBrjfuY72VReY6e+4F8FpD7n8iNk. Are you sure you want to continue connecting (yes/no)? yes

(this just stops it prompting in future -- to do figure out how to stop the prompt happening, so we avoid failing the autossh process)

lionfish0 commented 1 month ago

How to add supplementary tunnels to access webpage and FLASK API:

start by getting to the server... ssh 54.237.238.250 -lohio on the server, connect to the pi... ssh 127.0.0.1 -p5006 -lpi run this on the pi... ssh -N -R 8006:localhost:8000 ohio@54.237.238.250 -i/home/pi/.ssh/ohio2.pem & can test on server with links 127.0.0.1:8006 ssh -N -R 6006:localhost:5000 ohio@54.237.238.250 -i/home/pi/.ssh/ohio2.pem & can test on server with links 127.0.0.1:6006

then, on laptop ssh -N -L 8006:localhost:8006 54.237.238.250 -lohio & can test by opening a browser to http://127.0.0.1:8006/

then, on laptop again, ssh -N -L 6006:localhost:6006 54.237.238.250 -lohio & can test by opening a browser to http://127.0.0.1:6006/ then alter the port in the webpage, where it says url to API:

lionfish0 commented 4 days ago

@Joe-Heffer-Shef Here's how we start the reverse ssh tunnel