Security is a big deal. Everyday brings a new story about how hackers are creating networks of bots and stealing information and identities.
It’s easy to dive into using C.H.I.P. without thinking about this stuff, so we want to provide some guidelines on how to make your C.H.I.P. secure. This is especially important if you’re working with C.H.I.P. remotely on a network. You’ll not only want a secure C.H.I.P., but you’ll want the process as streamlined as possible.
Here’s some tips on making it easy to log into your C.H.I.P., make logging in more secure, and make your C.H.I.P. unique so you know it’s yours.
There are three parts to this:
- Change the default password
- Change the host name
- Create a password-free login between one computer and your C.H.I.P.
That last one may not sound very secure, but it’s actually more secure than typing in a password each time, and allows for automated management of your C.H.I.P.. Super slick!
CHANGE YOUR PASSWORD
It’s so easy, but you probably haven’t done it. From a terminal on C.H.I.P., simply type the command below and follow the prompts.
Now enter your new password into your password manager. What? You don’t have one? You should – that way, you can have more secure passwords and store them securely. Just research “password manager” in your favorite search engine for your operating system, and come back here when you are done.
Note: Also, make sure to change your root password as well!
CHANGE YOUR C.H.I.P. NAME
Every C.H.I.P. ships with a default computer name of “chip.” This has little influence on security, but if you are working with more than one C.H.I.P., it’s easy to get lost if they all have the same name. If you have more than one C.H.I.P. on the network and you type ssh firstname.lastname@example.org, how do you know where you will end up?
You don’t, really. So the first thing I do with a new C.H.I.P. is give it a new hostname. There’s two places you need need to change the word chip to your new name:
sudo nano /etc/hostname
sudo nano /etc/hosts
If you changed chip to totopo you can now ssh email@example.com. If you reboot, you’ll see a new prompt that looks like:
FREE YOUR MIND AND YOUR PASS(WORD) WILL FOLLOW
When I’m working with a C.H.I.P. remotely, it gets irritating to constantly enter my password, especially if it’s a long, weird, secure password. I also like to sometimes run things like an automated update to several computers at once with rsync, and I don’t want to have to enter in a password. Good thing there’s a cure for my ill!
In Linux or OS X, open a terminal and generate an SSH keypair:
ssh-keygen -t rsa
Hit return for all questions, do not enter a password when asked.
Copy this key to C.H.I.P.’s root directory with scp:
scp ~/.ssh/id_rsa.pub firstname.lastname@example.org:~/
Login to C.H.I.P.:
and enter your password to login.
Note: If you haven’t setup zeroconfig — that’s what enables you to use .local addresses — check out out the docs for instructions.
You may need to create a .ssh directory on C.H.I.P.:
Now add the public key from your computer to C.H.I.P.’s log of authorized keys:
cat id_rsa.pub >> .ssh/authorized_keys && rm id_rsa.pub
Finally, you have to set up your permissions on C.H.I.P. so this key can be accessed when you try to log in:
chmod go-w ~ && chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
Windows Does It Differently
For Windows, the process is more involved, since the OS does not have built-in support for generating a key. If you are using PuTTY, a free SSH client, and don’t have PuTTYgen already, you can download it here.
Launch the program, and then click the Generate button. The program generates the keys for you. Hit return for all questions, do not enter a password when asked.
Save the key by clicking the ‘Save Private key’ to a file named “id_rsa.pub” to PuTTY’s keys folder (this is setup in PuTTY’s configuration panel in Connection/SSH/Auth). You will need to copy this file to C.H.I.P. with pscp (PuTTY scp). If you are using the Chrome terminal emulator Secure Shell or cygwin for your Windows terminal needs, the process is more or less the same as it is for Linux and Mac
YOU DID IT!
Your C.H.I.P. is now secure and even easier to use!
Got more security questions or solutions? Head over to the forums to ask and share with the community!