I downloaded the mist current ASL and tried to set it up to run headless so I can use Putty and WinSCP, but the security manager seems to be getting in the way. How do I setup a headless mode?
Thanks,
Bob
K6ECM
Bob,
Not sure exactly what you are describing as problems with security manager but let me say just a couple of things and we will see if that squares you up for proceeding.
If you are trying to edit files using putty or winSCP the first time, you will need to edit /etc/ssh/sshd_config
You will need to do this as root so perhaps run su first, all from a command line
using nano, look for a change this line as shown
PermitRootLogin yes
(I suggest using a nonstandard port for ssh while you are in there for a edit)
Port 8120 (look near the top for it, default i think is 22)
save file and exit.
Next restart ssh
systemctl restart ssh
Now you should be able to login ‘as root’ with putty/winscp
Don’t forget to choose sftp as protocol
This is the same with the deb9/10/11 installs.
I also suggest you install iptables and fail2ban if they are not already. I think you will find that in the security menu of the asl menu that makes it easy and pre-tuned for asterisk installs.
But do this after you have set-up all ports on your system as it will automatically permit those in use when you do the install. But installed afterwards, you will have to go back and edit changes in port usage.
I’m not sure what the “security manager” that you’re referring to is, but I run all of my ASL systems headless. I have:
VK3RIR repeater. Currently offline, but has an ASL node on it.
SHARI - runs ASL 2 beta on a Pi 3b+, hasn’t had a monitor on it since installation was completed.
Main hub - runs ASL on a Debian VPS. By definition, this one is headless!
The exact process depends on what sort of system you’re running it on. For a Pi, use an image and write that to a suitable Micro SD card. For x86_64, you can follow the instructions on the ASL site to install to fit your situation.
However it’s done, I’ve never had an issue running a headless ASL system.
Mike and vk3jed,
Like I meant to say, I downloaded the ‘most’ resent load for the RPi. I agree with everything you two have said. The most resent download is now based on Raspian, the Raspberry Pi modified Debian, which doesn’t work like my other headless servers. Something has changed. Guess I’ll just have to step back a few versions.
Thanks,
Bob
K6ECM
Bob, you haven’t elaborated on the exact issue, as to why you can’t simply SSH in. By default, you won’t be able to log in as root, but you should be able to use su and sudo as needed.
For example, my Linux login for the ASL on the Pi is “repeater”.
Need to get an explanation as to what this “security manager” you refer to is.
I don’t understand the security monitor. ASL menu addresses it by saying to let the security monitor control security. I can’t find any info on it, not in the wiki page or on the Raspian page other than Raspberry instituted it to protect the connected Pis. Look up “security” in the AllstarLink.org wiki.
Ss for ssh, the asl-menu has asks for one to set it up. Once this is done I don’t see a change in sshd_config file, so don’t know what it does. I’ve yet to be able to login headless with the build.
If y’all figure out anything, you will have my full attention.
Thanks,
Bob
K6ECM
WinSCP requires root login as there isn’t a way to enter sudo that I can find.
t/B
I don’t believe “repeater” is your login name. I see it as equivalent to server name.
t/B
Definitely what I use to login.
login as: repeater
Server refused our key
repeater@10.43.21.17’s password:
Linux repeater 5.4.51-v7-asl+ #1 SMP Sat Aug 29 13:44:27 EDT 2020 armv7l
Can you also login to WinSCP?
Thanks
It helps if you mention steps you used to get your result, and quote the errors or messages you are seeing exactly as they are printed on the screen.
To get the above message, did you by chance open the asl-menu, choose options number 9. Security Menu, and see a box that says “System security is the node managers responsibility. These tools may help protect your node.”? If this is what you are referring to, this is just a disclaimer banner. The node manager being referred to is the human operator of the node, namely you.
It might also be useful if you have the version number or a link to the image that you downloaded, so we know what you are working with.
As for troubleshooting, step one: let’s make sure that your ssh service is in fact running on the pi.
Please go to the asl-menu option number 5 “Enter a bash shell”, then type the following command and press enter.
systemctl status sshd
If it’s running you should see output like mine below, especially the part where is says “active (running)”. Please paste your output here so we can confirm this is working. Then we can move on to step 2 which is your connection method.
repeater@raspberrypi:~ $ systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-12-19 19:17:12 CST; 1h 2min ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 521 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 562 (sshd)
Tasks: 1 (limit: 779)
CPU: 1.071s
CGroup: /system.slice/ssh.service
└─562 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
Dec 19 19:17:11 raspberrypi systemd[1]: Starting OpenBSD Secure Shell server...
Dec 19 19:17:12 raspberrypi sshd[562]: Server listening on 0.0.0.0 port 22.
Dec 19 19:17:12 raspberrypi sshd[562]: Server listening on :: port 22.
Dec 19 19:17:12 raspberrypi systemd[1]: Started OpenBSD Secure Shell server.
Dec 19 19:58:22 raspberrypi sshd[2917]: Accepted password for repeater from 2600:8803:9900:490f::671 port>
Dec 19 19:58:22 raspberrypi sshd[2917]: pam_unix(sshd:session): session opened for user repeater(uid=1000>
Dec 19 19:59:02 raspberrypi sshd[3619]: Accepted password for repeater from fdef:7e4b:af67::671 port 3899>
Dec 19 19:59:02 raspberrypi sshd[3619]: pam_unix(sshd:session): session opened for user repeater(uid=1000>
By the way, maybe this is a good time to mention I recently found out about a webpage-based server administration tool for Linux called Cockpit and have been trying that out. You login to the webpage with the username and password of the raspberry pi, and from there you can restart the node, check resource usage and services, etc. There’s also a shell for typing commands.
There is a plugin called cockpit-navigator that does file browsing and file editing from the web browser as well.
All of this just means that to administer the headless node this way you don’t need WinSCP, Putty, or even ssh necessarily. All you need is a web browser. And the user interface looks way nicer than the windows tools.
Here is a screenshot of the Navigator:
All, I figured it out; the installer asked if I wanted to set a root password so figured there was a way. I ended up having to go through the back door once I had AllstarLink loaded and running as headless.
I needed WinSCP so I could load about 45 MB of sound files which required a root login. I was then able to modify the ssh permissions to allow a headless root login. Modifying them before a successful headless load was just not working.
It’s finished.
Thanks for the inputs.
Bob
K6ECM