SSH Customization
FMADIO devices run exclusively from pseudo-ROM where any changes on the file system between reboots is lost. This ROM approach provides consistency and system predictability making maintenance simpler.
Shell Environment
One problem with this approach is shell customization becomes quite difficult. To allow small modifications in the shell environment when a user logs into the system it can run the shell script for each SSH session. Configuration file is:
Please do not use this excessively, typically its used for setting ENV variables.
Example:
Persistent authorized_keys
This file is usually located in ~/.ssh/ directory. As that is part of the volatile file system, the persistent version of this is placed into
This allows SSH keys to be used in a persistent way across reboots and power cycles. Note the file in /opt/fmadio/etc/authorized_keys is only copied during bootup. Updates made after reboot are not copied to the user .ssh directory.
Custom SSHD config
A customized sshd configuration file can be used by placing the customized configuration into
This is helpful for example to force exclusive RSA based login / disable password login. Which is a good practice if the device is on a public network.
Custom SSH RSA ID
In many cases using the default fmadio SSH RSA ID is not a good security practice. As such custom SSH RSA keys both public and private can be copied into
These will copied into ~/.ssh/idrsa and idrsa_pub on boot
Persistent SSH Tunnel
FW: 7974+
The FMADIO Packet Capture device may not be conveniently accessible on a network. Ability to form persistent SSH tunnels both to and from the FMADIO Packet Capture Device is important.
We use autossh for this feature.
One typical example is pushing rsyslog traffic to a centralized location for ingest and processing. In this example we show how to configure such a tunnel that remains persistent across reboots.
1) Create a new RSA keys on the FMADIO device
Storing the key in /mnt/store0/etc/sshtunnel.id without any password
2) Add the public key to the remote servers
Add the sshtunnel.id.pub key to the remote servers authorized_keys. This allows password-less ssh access to the remote server.
3) Test the connection by ssh to the remote server
To ensure it logs in correctly manually.
4) Create an on boot file that uses autossh
This gets run automatically on system boot. Because autossh handles reconnects, no cronjob or monitoring is required.
Create the file
Paste the contents as follows. This is a standard lua script, in this case its running autossh with some command line arguments. Anything can be run in the script for boot time setup
5) Test the boot script
Can test the functionality of the boot script as follows. Correct output is similar to this
6) Reboot the system
On reboot the boot.lua script is executed and a persistent ssh tunnel to the remote system is formed.
Custom sudoers File
A customized persistant /etc/sudoers file can be created at the following location
On boot the system will override the default /etc/sudoers file with the file created per above
Last updated