02-05-2013, 11:02 AM | #1 | ||
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Kindle ssh/scp with the USBnetwork package
This thread is a continuation of the Kindle networking thread at:
https://www.mobileread.com/forums/sho...d.php?t=204676 Which gave an introductory course in reading and understanding the Linux firewall tables used on the Kindles (with Kpw-5.3.3 firmware as the example). Conditions: Prior to the Kindle networking thread, you had already installed the USBnetwork, kindle-usbnet-0.7.N.zip package, as described in: https://www.mobileread.com/forums/sho...d.php?t=204450 That thread left you using telnet to access your Kindle. In the prior thread on the Linux firewall tables, you found there are no restrictions on the USB0 interface. Your also read about the restrictions present on packets originating on the wlan0 (and 3G) interfaces. You made note of the sequence required to start/stop USBnetwork, from the spoiler in the USBnetworking thread, which is repeated here: Quote:
There are a number of network automation things used by the various Linux distributions, refer to your distribution information on how to set up yours (not here, your distro's help forum). We know from a prior thread that the networking over the USB cable was working. We know from a prior thread that telnet over USB was working. Now telnet into the Kindle (telnet 192.168.15.244). This should confirm that things are working the same as before. (You can leave this connection up during the following if you wish or type exit to disconnect now.) Try to access the Kindle via ssh over the USB cable. Code:
core2quad ~ $ ssh 192.168.15.244 The authenticity of host '192.168.15.244 (192.168.15.244)' can't be established. RSA key fingerprint is 4e:30:f8:bf:3e:92:b6:ad:18:21:b3:47:95:9e:02:30. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.15.244' (RSA) to the list of known hosts. Welcome to Kindle! mszick@192.168.15.244's password: Connection closed by 192.168.15.244 The first line of that warning above: Quote:
There are 'host keys' already generated and included with the USBnetwork package. Every Kindle that uses this package will have the same host key, rather than a unique host key. This should not cause any problem as long as only one Kindle is reachable from the local network. When the Kindle's ssh server is accessible over public WiFi, this one-key-for-all-Kindles can be a source of problems. In this 'HowTo' generating a unique host key for each of your Kindles will be a subject addressed later in the thread. So in this case, just answer 'yes' to your client's question, as shown above. Now try to log-in with the administrator's user name, without using a password (just press 'Enter'): Code:
core2quad ~ $ ssh -l root 192.168.15.244 Welcome to Kindle! root@192.168.15.244's password: ################################################# # N O T I C E * N O T I C E * N O T I C E # ################################################# Rootfs is mounted read-only. Invoke mntroot rw to switch back to a writable rootfs. ################################################# [root@kindle root]# For those readers who have the Linux command line crib-sheet open, linked from the thread: https://www.mobileread.com/forums/sho...d.php?t=204534 Take note that the versions of those commands provided by Busybox are often simplified versions of the full commands described in that crib-sheet. The Kindle's Linux operating system needs its date and time set somewhere close to reality, or at least close to the time and date of the machine it is connected to. Use a pair of commands and our new, fancy, encrypted connection to the Kindle to set both the system and the hardware clocks of the Kindle. On your PC, learn the current universal date & time: Code:
core2quad ~ $ date -u Mon Feb 4 17:49:18 UTC 2013 The format which the Busybox 'date' command expects when setting the date and time is: Code:
date [-u|--utc|--universal] [MMDDhhmm[[CC]YY][.ss]] Code:
[root@kindle root]# date -u 020417492013 Mon Feb 4 17:49:00 UTC 2013 Now write the current system time to the hardware clock (and also verify that both the system and the hardware times are as expected): Code:
[root@kindle root]# hwclock -w [root@kindle root]# hwclock Mon Feb 4 11:50:44 2013 0.000000 seconds [root@kindle root]# date Mon Feb 4 11:51:17 CST 2013 Now the Kindle is ready for creating files with proper timestamps. Also, some Kindle features and custom add-on packages assume that the date and time is properly set to something close to reality. When the Kindle's networking features are completely set up properly, this setting of date and time can be automated (beyond that provided by Amazon). When the USBnetwork package's dropbear is used over the Wifi interface, it will require authentication. Either a proper username/password pair or public key authentication. Using public key authentication is highly recommended, and can be used over any network interface on the Kindle. Public key authentication uses a (cryptographically) matched pair of key files. The PRIVATE key remains on the host computer (your PC). The PUBLIC key can be used on any remote computer which you wish to authenticate with, after all, it's PUBLIC. By design, the sshd server package does not include key pairs, nor the file (authorized_keys) where they are stored. You will have to generate a key-pair of your own. dropbear uses the same format key-pair as that of OpenSSH (and Putty can generate that format key-pair). It is recommended that you do not use the same key-pair on two or more computers. There is no programmed enforcement of that recommendation, it is just a 'best practice' to follow. On the PC: The first step in using public key authentication is to generate a (new) key-pair on the local (will be the 'client') machine. The default location for the key-pair files is: ~/.ssh , a hidden directory that was created when your ssh client was installed. It is important to change the basename of the key-pair files when creating a new key to avoid trashing your existing, default, key-pair. Other than that, the defaults used by OpenSSH (Linux and MacOSx) for the key generation are good for our purpose. Code:
core2quad ~ $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/mszick/.ssh/id_rsa): /home/mszick/.ssh/kpw_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/mszick/.ssh/kpw_id_rsa. Your public key has been saved in /home/mszick/.ssh/kpw_id_rsa.pub. The key fingerprint is: 0e:10:74:d2:b6:72:aa:8a:7d:16:6f:9c:1e:39:4f:26 mszick@core2quad The key's randomart image is: +--[ RSA 2048]----+ | .+.. | | +o | | .. . | | ..o | | +. S | | o + | | . +E.+ | |... o =B | |o..o o. . | +-----------------+ For this example, leave the passphrase empty. There are other ways to protect the key-pair files than by using a passphrase. As a matter of convenience, give the Kindle's network address a name in the client's /etc/hosts file. An example /etc/hosts file before the addition of the ken1 nickname: Code:
127.0.0.1 localhost 127.0.1.1 core2quad 169.254.0.4 eepc701.morethan.org lanntp 169.254.0.104 wolf466.morethan.org wolf466 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters If you don't have a domain name to apply to your network, use: local.net (or whatever floats your boat and isn't a domain name registered to someone else). Use your favorite text editor as the superuser 'root' to edit the /etc/hosts file on your PC. The example /etc/hosts file after the addition of the ken1 nickname: Code:
127.0.0.1 localhost 127.0.1.1 core2quad 192.168.15.244 ken1.morethan.org ken1 169.254.0.4 eepc701.morethan.org lanntp 169.254.0.104 wolf466.morethan.org wolf466 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters We can refer to the Kindles IP address by name (or nickname) rather than by number: Code:
core2quad ~ $ ping -c 3 ken1 PING ken1.morethan.org (192.168.15.244) 56(84) bytes of data. 64 bytes from ken1.morethan.org (192.168.15.244): icmp_req=1 ttl=64 time=0.842 ms 64 bytes from ken1.morethan.org (192.168.15.244): icmp_req=2 ttl=64 time=0.524 ms 64 bytes from ken1.morethan.org (192.168.15.244): icmp_req=3 ttl=64 time=0.455 ms --- ken1.morethan.org ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1998ms rtt min/avg/max/mdev = 0.455/0.607/0.842/0.168 ms Code:
core2quad ~ $ ls -l .ssh total 76 - - - - - -rw-r--r-- 1 mszick mszick 5234 2013-02-04 11:22 known_hosts -rw------- 1 mszick mszick 1675 2013-02-05 08:10 kpw_id_rsa -rw-r--r-- 1 mszick mszick 398 2013-02-05 08:10 kpw_id_rsa.pub - - - - - The known_hosts file was last changed yesterday. When the Kindle's host key was added above. The ssh-keygen application generated a pair of files named with the basename we entered. The file without the extension, and read/write permissions given only to the owner, is the PRIVATE key of the key-pair. The file with the extension "*.pub" is the PUBLIC key of the key-pair. With an un-modified sshd server, the 'authorized_keys' file is located at ~/.ssh/authorized_keys With the modified sshd server(s) in the USBnetwork package, the 'authorized_keys' file is located in a sub-directory of the USB storage area: Code:
[root@kindle root]# ls -l /mnt/us/usbnet/etc -rwxr-xr-x 1 root root 1087 Feb 5 07:43 config -rwxr-xr-x 1 root root 458 Oct 20 10:13 dropbear_dss_host_key -rwxr-xr-x 1 root root 427 Oct 20 10:13 dropbear_rsa_host_key -rwxr-xr-x 1 root root 597 Oct 20 10:13 htoprc -rwxr-xr-x 1 root root 245058 Sep 15 15:55 moduli -rwxr-xr-x 1 root root 672 Oct 20 10:13 ssh_host_dsa_key -rwxr-xr-x 1 root root 227 Oct 20 10:13 ssh_host_ecdsa_key -rwxr-xr-x 1 root root 1679 Oct 20 10:13 ssh_host_rsa_key -rwxr-xr-x 1 root root 3579 Sep 15 15:55 sshd_config drwxr-xr-x 3 root root 8192 Oct 3 15:29 terminfo Since that file is just a list of the public keys, one key per line, that are authorized to access this machine, it can be created by coping the kpw_id_rsa.pub file to it. scp, like ssh, will ask you for the user's password. Just press return, for the password-free entry as 'root' in the Kindle modified server(s). NOTE: The server 'ken1' (for the purposes of ssh/scp) is not the same hostname that is on-file in the known_hosts file. Code:
core2quad ~ $ cd .ssh core2quad .ssh $ scp kpw_id_rsa.pub root@ken1:/mnt/us/usbnet/etc/authorized_keys The authenticity of host 'ken1 (192.168.15.244)' can't be established. RSA key fingerprint is 4e:30:f8:bf:3e:92:b6:ad:18:21:b3:47:95:9e:02:30. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ken1' (RSA) to the list of known hosts. Welcome to Kindle! root@ken1's password: kpw_id_rsa.pub 100% 398 0.4KB/s 00:00 core2quad .ssh $ cd Try it now: Code:
core2quad ~ $ ssh -l root ken1 Welcome to Kindle! ################################################# # N O T I C E * N O T I C E * N O T I C E # ################################################# Rootfs is mounted read-only. Invoke mntroot rw to switch back to a writable rootfs. ################################################# [root@kindle root]# In general, you can start as many ssh connection sessions as you have terminal windows. There is some practical limit, but you will certainly get lost in your collection of open connections before the Kindle looses track of what is what. The use of ssh/scp commands can be simplified further by the use of a nickname for all of the connection details (such as what name to login as). Type: exit in one of the ssh sessions or open another terminal window on your host machine. Code:
[root@kindle root]# exit Connection to ken1 closed. Make the hidden directory ~/.ssh the current directory; Open the file named: config in your favorite editor (if config does not exist, this will create it): Code:
core2quad ~ $ cd .ssh core2quad .ssh $ sudo nano config edit, edit, edit, save, exit core2quad .ssh $ cd core2quad ~ $ Code:
host kpw user root hostname ken1.morethan.org port 22 IdentitiesOnly yes identityfile ~/.ssh/kpw_id_rsa Now you should be able to substitute the connection nickname of 'kpw' for the options and authority field in the ssh and scp commands (and probably in the sftp commands also - but not tested here). Example: Code:
core2quad ~ $ ssh kpw Welcome to Kindle! ################################################# # N O T I C E * N O T I C E * N O T I C E # ################################################# Rootfs is mounted read-only. Invoke mntroot rw to switch back to a writable rootfs. ################################################# [root@kindle root]# You can have as many 'nicknames' as you wish in the ~/.ssh/config file (within some practical limit), separated by blank lines. Now for a simple example of executing shell commands on the Kindle, from the host PC, without ever bringing up a terminal instance on the Kindle. Background: ssh (Secure SHell) is a replacement for rsh (Remote SHell). Just like your local shell you can pass it shell commands. For an example, lets try a one-liner to check the current charge level of the remote Kindle's battery: Code:
core2quad ~ $ ssh kpw "gasgauge-info -c" Welcome to Kindle! 100% core2quad ~ $ Code:
core2quad ~ $ ssh kpw "echo -n 'Charge: ' ; gasgauge-info -c ; echo -n 'Load: ' ; gasgauge-info -l" Welcome to Kindle! Charge: 99% Load: -82 mA All of that whitespace and that "Welcome to Kindle!" message needs to be removed, since both stdin and stdout from the remote shell can be accessed in the ssh command line. The removal of that banner message requires the applicacion of a patch to the usbnetwork script on the Kindle. Doing away with the banner (optional, for when using remote commands with output to the client). Make a working directory (anywhere) named 'old' and make it the current working directory. Download the attachment to this post: banner.patch.gz De-compress the patch: Code:
core2quad old $ gunzip banner.patch.gz Code:
core2quad old $ scp kpw:/mnt/us/usbnet/bin/usbnetwork . usbnetwork 100% 9263 9.1KB/s 00:00 Code:
core2quad old $ patch -p1 < banner.patch patching file usbnetwork Code:
core2quad old $ scp usbnetwork kpw:/mnt/us/usbnet/bin/usbnetwork usbnetwork 100% 9383 9.2KB/s 00:00 Spoiler:
Now follow the normal routine for shutting down usb networking and then starting it again. There are timing loops in the start/stop script - you might have to repeat the start/stop toggle a few times (with a waiting time in-between) before the old dropbear goes away and the new one (without the banner) starts. Give the running of a sequence of commands on the remote Kindle another try: Code:
core2quad old $ ssh kpw "echo -n 'Charge: ' ; gasgauge-info -c ; echo -n 'Load: ' ; gasgauge-info -l" Charge: 99% Load: 142 mA core2quad old $ Also note the positive load value, the postive value means the battery is charging at that current. The actual charge current is probably higher, since that measurement was taken while the on-demand kernel was running at least three active processes (ssd, gasgauge-info, and the shell script). Before we play with ssh/scp over Wifi, which requires Wifi to be enabled, we need to block the Kindle's "call home" habit. That will require another iptables HowTo on modifying the rules, see: https://www.mobileread.com/forums/sho...d.php?t=205068 For now, enjoy. Last edited by knc1; 02-07-2013 at 09:05 AM. |
||
02-05-2013, 11:48 AM | #2 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Will be putting the additions to the above HowTo down here when required.
Last edited by knc1; 02-05-2013 at 07:45 PM. |
Advert | |
|
02-05-2013, 01:06 PM | #3 |
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Tır
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
This is excellent information, well laid out.
Thanks from us all, silent and not. |
02-05-2013, 07:46 PM | #4 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Its soup.
Typo's fixed and the patch to remove the banner output attached to first post.
Directions and a test example of dropbear with the removed banner added to the top post. NOTE: The banner could probably have been blocked with an addition to the config file. But that has the disadvantage of being a user point of change (the config) file - hence it would have to be hand-entered by each user, exactly. For now, a patch to the script is the way the banner is killed. Last edited by knc1; 02-05-2013 at 09:44 PM. |
02-11-2013, 04:29 PM | #5 |
Member
Posts: 21
Karma: 36663
Join Date: Feb 2013
Device: Kindle Touch 5.3.2
|
What's the best way to connect to Kindle Touch via SSH?
I do jailbreak all the time when need SSH connection. I found this USBNetwork 0.7N (4MB) and SimpleUSBNetwork 1.1 (280kb) hacks. What's the difference? |
Advert | |
|
02-11-2013, 05:59 PM | #6 |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
I know nothing about SimpleUSBNetwork 1.1
|
02-12-2013, 03:54 AM | #7 |
Member
Posts: 21
Karma: 36663
Join Date: Feb 2013
Device: Kindle Touch 5.3.2
|
I found this one: simple_usbnet_1.1.zip. It's much more smaller, and people say it also works.
Last edited by Glosnik; 02-12-2013 at 06:24 AM. |
02-12-2013, 07:48 AM | #8 | |
Going Viral
Posts: 17,212
Karma: 18210809
Join Date: Feb 2012
Location: Central Texas
Device: No K1, PW2, KV, KOA
|
Quote:
I have just chosen to integrate the various services provided by the larger package in addition to the ssh server. |
|
02-12-2013, 09:06 AM | #9 | |
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Tır
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
Quote:
but if it works for you "it works". I would use the other one. |
|
02-12-2013, 10:47 AM | #10 |
BLAM!
Posts: 13,495
Karma: 26047188
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
simple_usbnet was Yifan's original, quick & simple way to get an SSH server on the Touch devices. It's basically just dropbear (possibly the one from the early K4 diags), and a very plain & 'dumb' script to toggle it. KISS.
USBNetwork is the port of the K2/3 hack of the same name, with a bunch of different set of configuration available (a choice between dropbear and OpenSSH, WiFi, ...), and a few extra tools bundled with it. It's also patched to make it friendlier with our hacked devices. As an example, you probably won't be able to sftp to your device with simple_usbnet alone, and I'm not even sure about scp (can't remember if it's bundled in the default FW on the Touch/PW, it wasn't on earlier devices). |
02-12-2013, 10:53 AM | #11 | |||||
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Tır
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
Quote:
Quote:
[root@kindle root]# which scp Quote:
[root@kindle root]# finder scp Quote:
Quote:
Last edited by twobob; 02-12-2013 at 10:56 AM. |
|||||
02-12-2013, 10:58 AM | #12 |
BLAM!
Posts: 13,495
Karma: 26047188
Join Date: Jun 2010
Location: Paris, France
Device: Kindle 2i, 3g, 4, 5w, PW, PW2, PW5; Kobo H2O, Forma, Elipsa, Sage, C2E
|
On the other hand, simple_usbnet does install an scp symlink to dbscp, so, err, scratch that ^^.
|
02-13-2013, 10:55 AM | #13 |
Member
Posts: 21
Karma: 36663
Join Date: Feb 2013
Device: Kindle Touch 5.3.2
|
Just wanted a simple ssh connection, without stuff I won't even use It works, so I'll let it live.
|
02-13-2013, 02:17 PM | #14 |
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Tır
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
|
sounds like a plan
|
Tags |
ssh, ssh server |
Thread Tools | Search this Thread |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
SSH/SCP -ing into the enTourage eDGe | AlPe | enTourage eDGe | 3 | 04-16-2012 05:04 PM |
[HELP] Using usbNetwork to register Kindle | lordheeb | Kindle Developer's Corner | 4 | 10-04-2011 10:00 AM |
Kindle 3.0.1 firmware and usbNetwork | bmf | Kindle Developer's Corner | 15 | 10-18-2010 06:12 PM |
Usbnetwork/ssh on kindle 3? | yifanlu | Kindle Developer's Corner | 58 | 10-18-2010 05:39 PM |
Hacks Kindle 2 - Firmware 2.5.4 - usbNetwork | Zaidi | Amazon Kindle | 8 | 10-06-2010 08:23 AM |