Wednesday, 3 May 2017

Part 2: Configure a Raspberry PI

Configuring a Raspberry Pi


This is Part 2 in the Playing Custom Media Streams with the Amazon Echo series of posts


Part 1: Playing Custom Media Stream with Amazon Echo Part I
Part 2: Configure a Raspberry PI
Part 3: Obtains and Install LetsEncrypt Certificates
Part 4: Design and Build a https relay
Part 5: Opening network ports to allow correct operation
Part 6: Developing a simple media player application
Part 7: Installing a modified UPNP media server
Part 8: Installing a pseudo-radio station and bridging the UPNP server to the https relay
Part 9: Adding Chromecast casting push support

Installing And Enabling Remote Login

Install the Operating system as follows:
  • Insert the PI Raspbery Pi NOOBS memory card
  • Connect the Raspberry Pi to a TV or monitor using the HDMI connector
  • Plug in a USB mouse and Keyboard
  • Boot the Pi, search for and setup the Wifi Network and enter the correct password
  • Select the XXX OS (1.1Gb), and then install
Enable remote logins, and set the hostname, and set other parameters:
  • Reboot, then login as pi/raspberry
  • sudo raspi-config
  • Change the hostname (option 2)
  • Enable SSH (option 5 / P.2)
  • Set the memory split to only reserve 16Mb for video (option 7 / A.3)
For me, the ssh server key files were all empty, so I had to re-build them:
cd /etc/ssh
ssh-keygen -f ssh_host_dsa_key -N '' -t rsa
ssh-keygen -f ssh_host_ecdsa_key -N '' -t ecdsa
ssh-keygen -f ssh_host_ed25519_key -N '' -t ed25519
ssh-keygen -f ssh_host_rsa_key -N '' -t rsa
Fix the server's IP address.  This is done most easily on the modem that issues the DHCP addresses based on the MAC address.  Alternatively, it can be done within:
  • sudo raspi-config
Finally:
  • Reboot the Pi

Locking Down

In order to lock down the Pi, there are a few recommended steps, including:
  • Setting up a new user account
  • Setting up an admin account
  • Removing the pi account
  • Configuring login via ssh
Firstly, create the users and groups, and when you do, make sure that the passwords are fiendishly complicated (once you've finished, you'll only need these to set up new connections).
sudo adduser localuser
sudo adduser localadmin
sudo addgroup datafiles
Edit the groups, and ensure that the users are in the correct groups, and pi is removed from all.
sudo vi /etc/group
adm:x:4:localadmin
dialout:x:20:localadmin
cdrom:x:24:localuser,localadmin
sudo:x:27:pi,localadmin
audio:x:29:localuser,localadmin
video:x:44:localuser,localadmin
plugdev:x:46:localadmin
games:x:60:localuser
users:x:100:localuser,localadmin
input:x:101:localuser,localadmin
netdev:x:108:localadmin
spi:x:999:localuser,localadmin
i2c:x:998:localuser,localadmin
gpio:x:997:localuser,localadmin
Yes, I realise that pi is still in the sudo group.  Now, disconnect, and re-connect as the user:
ssh localuser@pi-address
Enter the long password, and once connected:
mkdir .ssh      (this will be needed later)
su - admin
sudo vi /etc/group
remove pi from the sudo group.  Then edit the password and shadow password files:
sudo vi /etc/passwd
sudo vi /etc/shadow
remove the pi entry from each file, and then Finally, remove the pi home directory files:
sudo rm -rf /home/pi

Enabling Password-Free SSH Login from a Linux PC

Logout from the Pi, and on a Linux PC:
client$  ssh-keygen    (note: you only need to do this once - ever!)
client$ cat ~/.ssh/id_rsa.pub | ssh localuser@pi-ipaddress 'cat >> .ssh/authorized_keys'

Enter the long password (for the last time).

Now, you can login using ssh:
client$ ssh localuser@pi-ipaddress
If you need to perform any admin activities:
localuser$ su - localadmin
And enter the localadmin fiendish password.  This localadmin user can run jobs as root:
localadmin$ sudo programmename

Configuring the Wired Network Interface

If you wish to use the wired interface, simply plug it in.
It is recommended to set this up using your modem DHCP to bind the MAC address to a static IP address.

That's It

  • The Pi is now configured.
  • You can connect to it as a mortal user with: ssh user@pi-ipaddress
  • You can become the administrator with su - admin
  • You can run root tasks with sudo taskname






No comments:

Post a comment