Authentication how-to

[JarnoThierolf]

I've used Robo-TiTO a few years ago and was happy with it. Now I tried to install it again and have some problems. I got it to register the xmpp account correctly. I can see it come online from another account. A few years ago there were no one time passwords and I can"t figure out how it works.

In the credentials.rb file in the PASSWD section, what kind of username needs to be used here exactly? The user of the account I want to use for remote access? Only the username or including the @server.com part?

What do I need to do for authentification? Just enter the six digits from Google Authenticator? After that I could directly send shell commands?

Sorry, probably I just oversee something, but I right now I can't figure out how it works. Is there another way to contact you?

[formigarafa]

No worries @JarnoThierolf , I know this process is more complicated than the previous one. I simply never got completely happy with the previous authentication method and I wanted to include a safe option. Unfortunately, safe is now the only option.

Ok, here we go. That PASSWD hash can contain a list of users and their respective secrets to create the one time passwords. the "username" can be anything you want and the base 32 secret has to contain only one of ABCDEFGHIJKLMNOPQRSTUVWXYZ234567. Uppercase or lowercase have no difference. http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet

You will use the same secret on google authenticator.

When you are logging in on the Bot will ask you the username to be used to generate the six digits password.

This is an example session of the script I copied from a real use case.

 me: - me
bot: - Unknown User: me

 me: - formigarafa
bot: - Welcome, formigarafa. Please send authentication.

 me: - 197480
bot: - Authentication successfull.
       /$>

 me: - ls
bot: - bin
       boot
       ...
       /$>

 me: - exit
bot: - Logged out

[JarnoThierolf]

Thanks for the fast and detailed explanation. I like the additional security through one time passwords. Now I understand how it should work, but unfortunatelly it doesn't work like that in my setup. As already told the bot comes online, but it actually doesn't seem to do anything. I can write whatever I want to the bot account, but nothing happens. I don't get any reply. I'm using a Raspberry Pi 3 with Raspbian 9 stretch Lite. Probably some library or so is missing because of the Lite version of Raspbian. Or it might be a problem with the ARM processor? Are there any logs or can I get any debug output?

I also tried to install Robo-TiTO at an Arch Linux laptop, but there the account doesn't seem to come online. I would linke to investigate that after I got the Raspberry Pi 3 to work. ;)

[formigarafa]

About debugging you can run the bot using ./robotitod run that way it does not daemonize and you can some feedback.

One trap I found myself falling into is that new google accounts come locked by default for external Jabber clients. have a look here if that is the case: https://support.google.com/accounts/answer/6010255?hl=en And unlock it here: https://myaccount.google.com/lesssecureapps?pli=1. Now, please, read the notes google provide and be sure to understand what you are doing.

Please tell me if this helped.

[JarnoThierolf]

I also found the issue with google security and activated the less secure apps for one test account. Then I was able to login with a standard Jabber client. To avoid any issues with google accounts I made some accounts at a standard XMPP server (jabjab.de). So the google security shouldn't be an issue here.

I'll try more at the Raspberry Pi 3 when I got some time at home.

Following is the output I get on the Arch linux machine. The Account doesn't seem to get online. but the server is clearly reachable. Not sure what is wrong here.

[eagle@syncstation robotito]$ ~/robotito/robotitod run
Connecting...
Connected.
Traceback (most recent call last):
        28: from /home/eagle/robotito/robotitod:6:in `<main>'
        27: from /home/eagle/.gem/gems/daemons-1.2.4/lib/daemons.rb:196:in `run_proc'
        26: from /home/eagle/.gem/gems/daemons-1.2.4/lib/daemons/cmdline.rb:92:in `catch_exceptions'
        25: from /home/eagle/.gem/gems/daemons-1.2.4/lib/daemons.rb:197:in `block in run_proc'
        24: from /home/eagle/.gem/gems/daemons-1.2.4/lib/daemons/controller.rb:59:in `run'
        23: from /home/eagle/.gem/gems/daemons-1.2.4/lib/daemons/application.rb:296:in `start'
        22: from /home/eagle/.gem/gems/daemons-1.2.4/lib/daemons/application.rb:275:in `start_proc'
        21: from /home/eagle/.gem/gems/daemons-1.2.4/lib/daemons/application.rb:266:in `block in start_proc'
        20: from /home/eagle/robotito/robotitod:9:in `block in <main>'
        19: from /home/eagle/robotito/lib/robotito.rb:20:in `run'
        18: from /home/eagle/robotito/lib/robotito.rb:20:in `each'
        17: from /home/eagle/robotito/lib/robotito.rb:20:in `each'
        16: from /home/eagle/robotito/lib/jabber_client.rb:26:in `block in received_messages'
        15: from /home/eagle/robotito/lib/jabber_client.rb:26:in `loop'
        14: from /home/eagle/robotito/lib/jabber_client.rb:27:in `block (2 levels) in received_messages'
        13: from /home/eagle/robotito/lib/jabber_client.rb:13:in `cli'
        12: from /home/eagle/robotito/lib/jabber_client.rb:13:in `new'
        11: from /home/eagle/robotito/lib/xmpp4r-simple_patch.rb:10:in `initialize'
        10: from /home/eagle/.gem/bundler/gems/xmpp4r-simple-92e2cd0002ec/lib/xmpp4r-simple.rb:147:in `status'
         9: from /home/eagle/.gem/bundler/gems/xmpp4r-simple-92e2cd0002ec/lib/xmpp4r-simple.rb:331:in `send!'
         8: from /home/eagle/.gem/bundler/gems/xmpp4r-simple-92e2cd0002ec/lib/xmpp4r-simple.rb:322:in `client'
         7: from /home/eagle/robotito/lib/xmpp4r-simple_patch.rb:28:in `connect!'
         6: from /home/eagle/.gem/gems/xmpp4r-0.5.6/lib/xmpp4r/client.rb:56:in `connect'
         5: from /home/eagle/.gem/gems/xmpp4r-0.5.6/lib/xmpp4r/client.rb:56:in `each'
         4: from /home/eagle/.gem/gems/xmpp4r-0.5.6/lib/xmpp4r/client.rb:58:in `block in connect'
         3: from /home/eagle/.gem/gems/xmpp4r-0.5.6/lib/xmpp4r/client.rb:71:in `connect'
         2: from /home/eagle/.gem/gems/xmpp4r-0.5.6/lib/xmpp4r/connection.rb:76:in `connect'
         1: from /home/eagle/.gem/gems/xmpp4r-0.5.6/lib/xmpp4r/connection.rb:76:in `new'
/home/eagle/.gem/gems/xmpp4r-0.5.6/lib/xmpp4r/connection.rb:76:in `initialize': Network is unreachable - connect(2) for "jabjab.de" port 5222 (Errno::ENETUNREACH)
[eagle@syncstation robotito]$ ping -c 3 jabjab.de
PING jabjab.de (78.47.152.161) 56(84) bytes of data.
64 bytes from asgard.n3xt.net (78.47.152.161): icmp_seq=1 ttl=50 time=22.8 ms
64 bytes from asgard.n3xt.net (78.47.152.161): icmp_seq=2 ttl=50 time=11.9 ms
64 bytes from asgard.n3xt.net (78.47.152.161): icmp_seq=3 ttl=50 time=14.7 ms

--- jabjab.de ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 11.945/16.498/22.800/4.600 ms

[formigarafa]

I was trying to reproduce the same one as above but I could not create an jabjab.de account. Ping was fine here, too. But their websites never opened.

[formigarafa]

Errno::ENETUNREACH is very low in the stack. Maybe It could be the server, your network or even your ISP blocking something. But, as I said above, I could not test with this server specifically because I could not create an account. I am not sure, but I have a feeling that there is something wrong with the server.

Anyway, I gave shot with another free xmpp provider. My settings where like this bellow:

BOT_LOGIN   = "formigarafa@jwchat.org"
BOT_PASSWORD      = "#########"

# you don't need to set these when the server is well configured
BOT_JABBER_HOST_SERVER = nil  
BOT_JABBER_SERVER_PORT = nil

# Robo-TiTO only accepts commands from contacts listed on AllowedUsers array.
PASSWD = {
  formigarafa: "someBase32Secret",
}

And that worked just fine.

[JarnoThierolf]

You were right about the jabjab.de server. Something didn't work there. With jwchat.org the bot started answering. Next problem seemed to be that my Google authenticator password was too long. I choose a shorter password and now it works great at home with my raspbian.

Another issue with the Arch Linux machine at another location seems to be the firewall which is quiet restrictive. Interestingly the jabjab.de account worked with Gajim client, but not with Robo-TiTO. The jwchat.org doesn't even work with Gajim. I'll try other server, but I'm not sure if that will help. Of course I could use some kind of tunnel, but that was what I wanted to avoid with Robo-TiTO in the first place.

Anyway thank you for your great support!

[formigarafa]

I am glad you have it working. And yes, you got the point of robotito: those network details are sometime just not worth it.

[Winthan]

Regarding about the Google authenticator password, it is hard to set up.

I have following in config

PASSWD = {
  "agent" : "BASE32SECRET",
}

However, when I add that password and username on Google authenticator as timebase, it never works for me, even I use the same secret on google authenticator. Which password is good enough? FYI: Google Authenticator only access more than 16 keys to enter.

[JarnoThierolf]

Did you try the above suggested password: someBase32Secret It should work well if you take that as key in Authenticator. Of course you can take something else afterwards, but for testing that should be fine.

[Winthan]

I tried that, and save that in config. Once I saved, I added right way on Google Authenticator too, and I right away restart the server. But I am still getting this error "Authentication failed."

And I got no error at all via "run"

[JarnoThierolf]

Do you use gmail account? Is it possible to log in to that jabber account with a standard jabber client?

One trap I found myself falling into is that new google accounts come locked by default for external Jabber clients. have a look here if that is the case: https://support.google.com/accounts/answer/6010255?hl=en And unlock it here: https://myaccount.google.com/lesssecureapps?pli=1. Now, please, read the notes google provide and be sure to understand what you are doing.

[Winthan]

I found out it is so different based on time of the machine, so I install and https://github.com/mdp/rotp and run the key to log in, it works. I need to adjust the time.

[Winthan]

Question, how can I send the ctrl+c command?

[JarnoThierolf]

Glad you got it work. As far as I know that is not possible. You could send this to formigarafa as feature request. Then he could decide if would like to make that.

I solved that with restarting robotito every 10 minutes via cron.

If you type "crontab -e" ad the following lines:

# Restart Robo-TiTO every 10 minutes
*/10 *    * * *   /home/pi/robotito/startRobotito.sh > /dev/null 2>&1

The script startRobotito.sh just restarts robotito:

#!/bin/bash
# Start Robo-TiTO or restart if already started
cd ~/robotito
./robotitod restart

Of course you would have to use the correct path.

[JarnoThierolf]

And of course you could start a reverse SSH tunnel to have a standard shell.