Help on SSH: JB 5.6.5 (to 5.7.2.1!) USBNetwork

[d0ugparker]

I have--had--a PW3 on 5.6.5, with Airplane Mode on.

I turned on Access Restrictions in my DD-WRT router to block www.amazon.com, and confirmed its operation.* Then, I turned off Airplane mode.

Unfortunately, the network update came through from other than the TLD amazon.com, and I was pushed up to 5.7.2.1. Fortunately, KUAL 2.6 and
USBNetwork 0.21.N still appear to be working. Others have found this out, too, that the update to 5.7.x doesn't brick, so no new news there.

So now I'm treating the PW3 on 5.7.2.1 as a working unit, but I really need to get its SSH going for a project that's due next weekend.

I've DLed putty.exe and puttygen.exe. I've created my public and private keys. I've copied my public key to /usbnet/etc/authorized_keys, (authorized_keys is a file, not a directory, with no extension), being careful to export as UNIX-style EOLs. I've configured my PW3 to have a custom IP addy of 192.168.1.114, I've turned on USBN mode, making sure to disconnect the cable, fired up putty, I've provided putty with a path to my private key, I get the "Welcome to Kindle!", so putty.exe is seeing and attempting communication with the Kindle, but I keep getting the "Server refused our key" message.

I read in an Ubuntu Forums thread that OpenSSH and Putty formats for public keys are different--that I may need to generate an OpenSSH key on my Winders system, then using Putty import and convert it to its own format, save it with UNIX EOLs, then copy it over to the Kindle.

Addendum:

I'm occasionally getting the notice about the server key having been modified--a potential security breach. This is happening in my private network, so no threat there, so I may be even closer than I thought. It seems as if the files are in the right place, their values exported properly with the correct, UNIX line endings, but their public and
private keys are not matching properly.

Even though I've manually set my Kindle's IP address to 1.114, do I still need to be setting my router to be operating on subnet 15, using the documentation's stated IP address of 192.168.15.244 for the Kindle ? I'd think not, since I'm getting the "Welcome to Kindle!" message.

Other thoughts? Thanks.

Dr Doug

*ObDD-WRT Info:

For access restrictions to work on a DD-WRT router, there has to
be some device info present, or the policy is ignored.





Once there's at least one device accurately listed, the policy is applied.

[eschwartz]

1) Please do not add dozens of linebreaks to your posts, it makes it much harder to read. The forum software is perfectly capable of wrapping paragraphs on its own.


2) What makes you think USBNetwork is working? After a firmware update you must reinstall ALL update_*.bin style hacks.

[d0ugparker]

(Admins: please add a Resolved tag to this thread.)

The READ-ME included in the zip file for USBNetwork is amazingly thorough, yet, IMHO, extremely succinct--so much so that it makes understanding it difficult after a dozen or more re-reads, but isn't that the case when we're all working here on our own and doing our own thing? (Admins: How can users recommend additions or changes to READ-ME files accompanying binaries?) I'm suggesting reading, then re-reading many, many times before the light turns on. I did this because I wanted to be a responsible, er, hacker, and not wanting to pester the admins or the power users who were getting the same questions from hundreds of end users. I'm saving my voice for when I really do need it.

As eschwartz mentioned, always be sure the latest binary is uploaded.

I was updated to 5.7.1.2, so the 0.21.N binary works on that Kindle version.

I used PuTTYgen.exe to generate my public and private keys. I used Notepad++ to generate the needed files, because it clearly tells me when I was in DOS or UNIX line ending mode (CR vs. LF vs. CRLF). The READ-ME is clear on always using UNIX EOLs, since everything is a UNIX shell.



I copied and pasted the public key from the area in PuTTYgen that states, duh, "Public key for pasting...."



Doing so kept the key on a single line.

This following image shows what the public key looks like when the "Save public key" button is clicked instead. Note the extra line feeds--not good:



Yeah, the SSH clients are probably smart enough to detect line feeds or not, but what if they don't know about CRs or LFs? Don't take a chance on dinkin' with 'em. Copying and pasting them puts everything on one line. Over. Done.

The Kindle's feedback area is a line at the bottom of the USBNetwork screen. It's tiny. Watch carefully, be prepared to read what flashes by very quickly, because you don't get a lot of time to grab all the information coming your way from the developers:



I went through my own, personal hell to figure out if the buttons display the state of each feature, or if they show what their changed state will be if selected:



They do not indicate the current state--they indicate what their state will change to if the button is clicked. If "Enable verbose mode" is showing, verbose mode is disabled. Duh, but some of the wording on other buttons is not as clear cut.

I used PuTTY.exe for the SSH client. IP addresses are not hard coded into PuTTY, but default values appear to be inserted from legacy development, and so that something will be in its proper place when you grab it (USBNetwork), install it, and try to connect to it. Documentation seems to show a 15 subnet (192.168.15.244, and 192.168.15.201). I've seen both IP addresses noted in the READ-ME and HELP docs.

Included in the setup files for USBNetwork, there's a config file that can be used to set the Kindle's IP address. In the config file, I set my Kindle's IP address to 192.168.1.114.

Doubling up on correct IP addresses, I used my Kindle's Settings > Wi-Fi Networks menu to get to the Advanced settings button, which allowed me to set its IP address, and all the other associated inputs needed:



Even though I was also setting the Kindle's IP address in USBNetwork's config file, I was doubling or tripling up on things to be sure that if I were to overwrite something, it'd overwrite with the same information. (Addendum: I was told by a power user that doing so was not a Good Thing™ to do. The two interfaces need separate IP addresses. I'm not sure which settings correspond to which interface, though. More addenda on that as they surface. Stay tuned!)

Some helpful pointers on using PuTTY.exe follow.

Your public key gets copied over on the Kindle. I saved mine locally on my Winders system as public.txt. On the Kindle, it needs to go in ./usbnet/etc/authorized_keys. Make sure it's in UNIX EOLs and my implementation worked when I put it all on one line. I know that nullifies each other, but IJS.

For security, always put a passphrase on your private key.

Here's where you set your path to your local, private key:



With USBNetwork binarly installed properly, with the public key on the Kindle, with a private key locally, with the IP address doubly-set to one of my choosing (192.168.1.114), I fired up PuTTY.exe and attempted a connection to the Kindle's SSH daemon.



You did turn the SSH daemon on, right?



One of two or three things happened on attempting to connect.

1. Connection time out, or
2. A server refused the key message, or
3. A successful login and a passphrase needed.

A connection timeout is when you're furthest away from a successful login, but you don't get any hints on what's not right. Go back and re-read the notes above, and re-read the READ-ME file. Keep it simple. The solution is probably easier than you think it is.

A Server refused our key message is an indication of a failed communication between the two, but your keys are most likely not in the right format.



Use UNIX line endings--that was the biggest fail of mine, repeatedly.

A successful login comes in two, separate operations. The first notice I received was an obscure message about host keys not matching:



I looked at the rsa2 fingerprint listed in the security notice splash screen, but I couldn't identify it as coming from any key I had installed on the Kindle, so I'm not sure from where that message is being generated. So for now, I ignored it.

The buttons Yes, No, and Cancel are helpful, but they're not helpful. Read the details in the security notice for an explanation of each button's functions.

When I press Yes, which I would expect to allow me to connect with updated credentials, I don't connect.

When I press Cancel, of course, I abandon the connection attempt.

Confusingly, when I press No (which the text helpfully mentions will continue to connect but doesn't update the cache), I continue to step two of the SSH login process, where I'm asked for the private key's passphrase:



and upon successfully supplying the passphrase, I'm logged in through SSH:



Continue on with your regularly scheduled hacking.

Thanks to all the power users who contributed before me.

Dr Doug

[knc1]

Quote:

- - - -
Even though I was also setting the Kindle's IP address in USBNetwork's config file, I was doubling or tripling up on things to be sure that if I were to overwrite something, it'd overwrite with the same information.
- - - -
With USBNetwork binary installed properly, with the public key on the Kindle, with a private key locally, with the IP address doubly-set to one of my choosing (192.168.1.114)
- - - -

Now that will cause you problems.

Each interface needs to have its own, unique on the network, IP address.
Plus - -
Unless the configuration is changed elsewhere, the Kindle will default to using DHCP for the WiFi interface.
The default for the USB network interface is to be set manually.

- - - -

Dumb question follows:

Since one of the purposes of pubkey authentication is "password free" authentication, why in the world do you add a passphrase to the private key?
All you've done is replace one passphrase entry point for another.

The private key is on your PC - use the features of your PC's operating system to secure it rather than adding a passphrase.

# 95 00

[NiLuJe]

Thanks, I added a link to your post in the docs .

----

As for the password thing, yeah: either you use the same key everywhere, and it's secure as hell, in which case you're using an agent to not spend your time entering a long-ass passphrase.
I'm not sure if there's a better solution that Pagent on Windows, but on Linux, pam_ssh rules, and on OS X, ssh-agent ties into the OS's KeyChain.

Or you're using a throwaway key just for the Kindle, and a passwordless one is fine.

Speaking of keys, last I checked, only development version of PuTTy supported ECDSA keys (better, stronger security, and much faster).

[eschwartz]

Glad you were able to get it working.

As for the README, well, writing documentation is hard, especially if it's all obvious to the writers.
It doesn't help that many of the people here are used to linux. Difficult to write instructions for an OSyou don't use.

...

I notice you got slightly confused in the KUAL configuration.
Think of KUAL buttons as "actions to perform".

[d0ugparker]

Quote:

Originally Posted by knc1

Each interface needs to have its own, unique address on the network, its own IP address.

Plus - -

Unless the configuration is changed elsewhere, the Kindle will default to using DHCP for the WiFi interface. The default for the USB network interface is to be set manually.# 95 00

<Really dumb look on my face>

Uh, I'm trying to recall references in the READ-ME file to DHCP being activated, and I think that may be an omission in the docs. (Confirmed: a search through USBNet's README-FIRST.txt reveals nothing on DHCP.)

So, although I understand what you're saying, I don't understand it. Two IP addresses to SSH to the Kindle?

Where is the Kindle's IP address set, and where is the interface IP address set? I'm confused. I know this is simple, but I've got a serious case of roadblock square in the middle of my face.

I sort of liken what you're saying to my setup I have on my router to my ISP: they have their WAN address side, and I have my LAN address side, so either side has different IP numbers. Although I understand that one, I don't understand the implication to the SSH configuration necessary.

(I'm not finger-pointing nor blaming. If I can help expand on the README-FIRST file to get better, clearer, more complete docs in place for the software I touch and use, I'm all for it. That's why I went through all the effort on getting this RESOLVED reply added to my OP.)

Quote:

Originally Posted by knc1

Since one of the purposes of pubkey authentication is "password free" authentication, why in the world do you add a passphrase to the private key?
All you've done is replace one passphrase entry point for another.# 95 00

I'm forever learning--I just didn't know. Thanks for pointing these things out. Now that you mention it, I do recall the docs stating something about that in the README-FIRST file.

[knc1]

Ah, so - A networking new comer.

The "Device" does not have an address (although Windows sort of smooths that over by assuming: Device == 1 Interface == 1 address per Interface)

Each network interface on a device has one (or more - even under Windows) addresses.

You showed the panel to setup the Wifi interface address -
And you wrote about setting the USBnetwork interface address in its config file.

If both IP address numbers where the same - -
for instance,
how would your router know if a packet should be sent out over the air (wifi) or over a wired connection to reach the Kindle?

Yes, the minimum is the 1-to-1 relationship: one address == one interface (one for USBnet, one for Wifi, one for 3G (if you have 3G), etc).

That is the **minimum** required, not the maximum limit.

Without **any** (external) networking running:

Code:

[root@kindle bin]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo

which is 256*256*256 IPv4 addresses on the local (within the device itself) network.

The device itself has a name (the host name) and there is a look-up for name to IP address:

Code:

[root@kindle bin]# cat /etc/hostname
kindle

[root@kindle bin]# cat /etc/hosts
127.0.0.1       localhost.localdomain localhost kindle
192.168.15.200  usbnet-host-gw

There is more, a lot more (lots of books written on the subject) -
Just post when your head stops spinning and we will give you another dose.
(There is also IPv6 and with the 7th gen devices, the kernel supports network namespaces, and . . . . )

[d0ugparker]

Quote:

Originally Posted by knc1

Ah, so - A networking new comer.

Er, no, I've been doing MAC/WIN/*NIX support for decades.

I just feel really stoopid when I'm playing with all these fun files and brand new toys of yours here and I find myself in a position where I suddenly don't understand something--too many balls to juggle, or too many interfaces to maintain.

It's only in the forums here that I get to return to the cutting edge where I genuinely have to put my learning hat back on again.

Quote:

Originally Posted by knc1

You showed the panel to setup the Wifi interface address - And you wrote about setting the USBnetwork interface address in its config file.

If both IP address numbers where the same - -

for instance, how would your router know if a packet should be sent out over the air (wifi) or over a wired connection to reach the Kindle?

WiFi over USB... and my head spins yet again.

The Kindle gets its IP address from the Advanced Settings I gave it in the WiFi panel.

The SSHD gets its IP address from its config file. No, wait, that was the USBNetwork interface, not the SSHD.

So here's where I'm really in the muck. The Kindle has its own IP address of 1.114. Then, the USBN-SSHD interface needs 1) its own local and 2) LAN IP address, and it needs to talk to my LAN. My LAN is x.x.1.x, so any IP addresses assigned to the USBN-SSHD interface also need to be on x.x.1.x.

(In the one line sketch below, the 15s come from the README.)

K (x.x.1.114) <---> (15.201) USBN (15.240) <---> LAN (x.x.1.x)

Then they're set to .15.x by default, and I have to change them to match my config. How do I change both internal and external IPs? The config file has only one IP address. There's something I'm overlooking or something I'm not taking into consideration.

Quote:

Originally Posted by knc1

Code:

# cat /etc/hostname
kindle
# cat /etc/hosts
127.0.0.1       localhost.localdomain localhost kindle
192.168.15.200  usbnet-host-gw

Just post when your head stops spinning and we will give you another dose.

I'm guessing the .15.200 line was >> to the hosts file by the USBNet binary.

So, I set the IP of the Kindle by its WiFi Setting setting. (1 below?)
Then there's a hosts IP for USBNet. (3?)
Then there's a config IP for, uh, (2?)

Kindle-(#1) <> (#2)-USBNet-(#3) <> WiFi LAN
Kindle-(#1) <> WiFi LAN

Go ahead--hit me. I think I deserve it. ;-)

Thanks.

[eschwartz]

SSHD is as normal -- whatever WiFi address is assigned by your router.

The trick is that USBNetwork by default works over USB (hence the "USB" part ) which means the USB interface gets its own IP address. (And it isn't supposed to clobber something else.)

[knc1]

You must have KUAL installed (being this is the newest and greatest Amazon firmware) . . . .

Did you install the "Helper" extension?
I am pretty sure that is the one with the 411 and/or 711 buttons.

Let me see now ...
My PW-3 is still on its factory initial (5.6.1.1) firmware, but a lot of these things have remained the same ...

Home -> Search -> enter: ;711
The semi-colon is part of the command -> ;711
Screen shot attached, with 'airplane mode' enabled, USBnet disabled.

First - lets get everything working - you can customize the numbers **LATER**.

You can connect to the Kindle over two media -
The USB cable and/or the Wifi connection.

We do the USB cable way first, because it works 'out of the box' if you have not modified its configuration file.
(If you have, modify it back - we will tackle one challange at a time.)

What are you going to USB cable the Kindle to?
Keep it simple - plan on using a pc (Linux or MacOSx - Windows someone will have to translate - but what you already wrote is probably 'close enough').

remove USB cable !!!

KUAL -> USBnetwork -> (Query) USBnetwork Status
Bottom line should say "usb network disabled, sshd down"

KUAL -> USBnetwork -> (Action) Toggle USBnetwork
Wait a few - check status again - it should report that it is up.

Connect Kindle to PC with the USB cable.

Note on the PC:

Code:

core2quad ~ $ dmesg
[179743.220126] usb 2-3.5: new high speed USB device number 14 using ehci_hcd
[179743.526179] cdc_subset: probe of 2-3.5:1.0 failed with error -22
[179743.528136] cdc_subset 2-3.5:1.1: usb0: register 'cdc_subset' at usb-0000:00:1d.7-3.5, Linux Device, 22:6e:e3:00:56:b8
[179743.528198] cdc_ether: probe of 2-3.5:1.0 failed with error -16
[179743.528222] usbcore: registered new interface driver cdc_ether
[179743.528568] usbcore: registered new interface driver cdc_subset

Only the last two lines are significant - the rest was just the PC's kernel getting itself organized.

I have been doing this for awhile now, so I have a clause set in my PC's /etc/network/interfaces file that looks like this:

Code:

core2quad ~ $ cat /etc/network/interfaces

- - - -

iface usb0:1 inet static
        address 192.168.15.201
        netmask 255.255.0.0
        network 192.168.15.0

So when I invoke that clause . . . .

Code:

core2quad ~ $ sudo ifup usb0:1
ssh stop/waiting
ssh start/running, process 11037

Note that the two lines of output there refer to sshd on my PC - which is not involved in USBnetworking with the Kindle.

Now, the PC end of the cable has IP address: 192.168.15.201

Code:

core2quad ~ $ ip addr
- - - -
4: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 22:6e:e3:00:56:b8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.15.201/16 scope global usb0:1
    inet6 fe80::206e:e3ff:fe00:56b8/64 scope link 
       valid_lft forever preferred_lft forever

This Linux distribution does the same as most, it pokes in a route based on the interfaces clause that was invoked:

Code:

core2quad ~ $ ip route
default via 192.168.0.1 dev eth0  metric 100 
169.254.0.0/16 dev eth2  proto kernel  scope link  src 169.254.57.30 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2 
192.168.0.0/16 dev usb0  proto kernel  scope link  src 192.168.15.201

(The last route was just added to the PC's end of the USB cable.)
The PC is indeed 192.168.15.201 and any packet address that fits the 102.168.0.0/16 pattern will be sent to device USB0.

Since I have a serial port connection to the Kindle also, I can show what that end of the USB cable looks like:

Code:

[root@kindle bin]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo

2: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether ee:19:00:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.15.244/24 brd 192.168.15.255 scope global usb0

[root@kindle bin]# ip route
192.168.15.0/24 dev usb0  src 192.168.15.244

Sure enough, just like the USBnetwork config file on the Kindle said, the Kindle end of the USB cable (not the Kindle, the Kindle end of the USB cable) is 192.168.15.244

Check the Kindle's firewall, see if it will allow our packets in:

Code:

[root@kindle bin]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:40317
ACCEPT     tcp  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:40317
ACCEPT     udp  --  anywhere             anywhere             udp spt:49317
ACCEPT     udp  --  anywhere             anywhere             udp spt:33434
ACCEPT     all  --  localhost.localdomain  anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             localhost.localdomain

Answer: Yes (lines 10 and 2)

Is sshd really running?

Code:

[root@kindle bin]# ps aux | grep ssh
root      20394  0.0  0.1   2488   528 ?        SNs  20:37   0:00  /usr/bin/dropbear -P /mnt/us/usbnet/run/sshd.pid -K 15 -n -b /dev/null

Yes.
Note that the default sshd server is DropBear - the OpenBSD sshd is an option in the config file.

Back on the PC (not to get too confusing, but the PW-3 and my PC are both running the same version of Linux ) - -

I do this often enough that I gave the Kindle's end of the USB cable's address a name:

Code:

core2quad ~ $ cat /etc/hosts
127.0.0.1               localhost
192.168.15.244    ken1.morethan.org    ken1
- - - - -

To simplify things further (and because the version of ssh keyring can not handle the number of keys I have on my PC) . . . .

I have added a short-cut clause to the ~/.ssh/config file of my PC:

Code:

- - - - - -
host kpw
     user root
     hostname ken1.morethan.org
     port 22
     IdentitiesOnly yes
     identityfile ~/.ssh/kpw_id_rsa
- - - - - -

And note: I do not have a passphrase on that private key file (I use the over-all security features of my PC instead).
The next to last option: "IdentitiesOnly yes" in the config file forces my ssh client to try **ONLY** the specified key file.

Now with all of that setup - to get an ssh connection from my PC to the Kindle, I enter:

Code:

core2quad ~ $ ssh kpw
#################################################
#  N O T I C E  *  N O T I C E  *  N O T I C E  # 
#################################################
Rootfs is mounted read-only. Invoke mntroot rw to
switch back to a writable rootfs.
#################################################

Note:
The same 'kpw' shortcut name works also with scp and sftp.

Whoot!
It does work.

Better details at:
https://www.mobileread.com/forums/sho...d.php?t=204450
https://www.mobileread.com/forums/sho...d.php?t=204676
https://www.mobileread.com/forums/sho...d.php?t=204942
https://www.mobileread.com/forums/sho...d.php?t=205068
https://www.mobileread.com/forums/sho...d.php?t=205224
https://www.mobileread.com/forums/sho...d.php?t=201572 (Mac OSx)

[NiLuJe]

And as you've mentioned, you're using a static IP for your Kindle over WiFi. That one has to be in your usual subnet to talk to your router.

But over USB, both ends defaults to a slightly more obscure private subnet because it doesn't (and shouldn't, to keep things sane) be in your subnet. You really only need to change the USB IPs if you are indeed risking mismatches.

But over WiFi, either you know the IP because you set it manually (advanced network setup on the Kindle), or it's assigned by your router via dhcp, and you get it either from your router (I'm assuming config UI and/or network topology maps available somewhere), or from the 711 (or 411?) page on the Kindle.

(I'm not mentioning the defaults to avoid confusion, because I, weirdly enough, don't use the defaults on my setup for portability purposes between legacy kindles, kindles and kobos ).


Take all that with a grain of salt, I've been bashing my head against mystical Kobo issues all day, so my sanity is a bit frayed ^^.
That's my systray right now. Yes, I was optimistic at the beginning, I went with kwrite instead of kate, and now I have seventy billion windows open instead of one, and it's a mess .

[knc1]

But your only using two desktops - so no reason to panic just yet.
Reset to the maximum number (probably 16 or 24 - some small 2 digit number) and **then** fill up all of the systray lines.

Don't forget to shade the windows until none of the desktops have a bare spot to open another one - -
At that point, you can just sign in again with another username and repeat.

= = = =

In my case, usually at that point I can hear that the window with the movie or tv program playing in it has reached the point I want to see - but I can't find the tv window to watch.

Aren't x11 desktop managers just great?
The majority of the world of users are stuck with just a single desktop view.

[NiLuJe]

Yeah, I was glad to see Windows 10 introduce virtual desktops... Even if the feature is really not put forward.

And that the only effective use I have had of it is moving a crashed fullscreen app to a second desktop in order to unsteal mouse focus to be able to properly kill the runaway app in the task manager. .

[knc1]

Another MS advancement: a virtual BSOD!