Use this for SSH on the Empeg?

Telnet interprets some byte sequences as internal commands. I don't know if zmodem can be configured to avoid those sequences or not. Also, scp is much, much easier to deal with.

Honestly, I've always had a lot of trouble doing zmodem over the serial port since there's no flow control enabled.

Yeah. The telnetd with a login was me. I'll dig it out again.

Even something non-malicious. It is quite easy with some commands / interfaces (thinking about charcoalgrey's for example) to set the drives read/write and forget it. Then I disconnect the power and find the filesystems are dirty and need and fsck.

That's why Hijack password protection was implemented!

Mind ya, that is also rather easy to hack..

True and true. I was just showing that it can be very easy to cause damage (well, perhaps just annoyance) without intending to, if the player is left open on a network.

<tonyc>

Er, no. The principle is known much better as security through obscurity in information security vernacular.

</tonyc>

<Google>
Results 1 - 10 of about 27,700 for "security through obscurity"
Results 1 - 10 of about 253 for "security through obfuscation"
</Google>

Right. I've never heard of security through obfuscation. Your Bitt impression sucks, Tony.

Damn. I'd first seen the term "security through obfuscation" in an IT trade publication ten years ago and never heard a different varaiant during all the intervening time.

I could argue that my way is a more accurate term, but clearly the masses have spoken. Sigh.

"security through obscurity" : 27,700
"security through obfuscation": 253

Edit: Jeebus, the links worked fine in preview. WTF?
Edit: It didn't like the double-quotes-as-%22 inside the [url] tag; it changed them to doublequotes too early somewhere. I changed them to "%2522". -wfaulk

Dude, you need to use your scrollbar. ^^^

I don't believe in scrollbars. I'm a bottom-post-only-reader

Almost, but not quite, entirely unlike tea^H^H^HBitt.

: ) I wonder how many of the younger folk on the board remember that...

Who's going to install the GPP feature into the empeg then?

802.11 connectivity module -

"Share and Enjoy"

I'm working on getting the debian OpenSSH server to work on a stock empeg kernel right now. It should be ready to download in the next few days.

I already have a running ssh server on my special configured empeg player (running a complete debian sarge distribution) since about two years.

Thank you very much!

How fast does it go? I compiled OpenSSH a while ago and found it be quite sluggish even with the player being idle/paused.

No, it's rather fast. You'll see it. Let you surprise.

In the meantime I'm able to ssh login to a stock empeg player (a slightly modified hijack kernel is needed). I get a shell in a chrooted environment and scp works as expected. But I think what people wants is access to the /drive0 and /drive1 directories of the empeg. This is not possible in this environment!

So here is the big question to the linux gurus. How do I have access to these directories in a chrooted environment? I already asked google and tried the following methods but without success so far:

- mount directories to a directory inside chrooted environment (does not work because drives can only be mounted once in kernel 2.2)

- mount with the --bind option to a directory inside the chrooted environment (does not work because this option needs at least a kernel 2.4)

Any other ideas?

If you want full access to the empeg, then don't use a chroot'd environment.

This was not the aswer I hoped for. :-)
I have to use a chroot'd environment because otherwise it conflicts with other libraries.

#!/bin/sh
export LD_LIBRARY_PATH=/my_ssh_libs/
exec sshd

This is exactly the way I tried it first.
But sshd relies on many different files and folders which I thought are easier to provide in a chroot'd environment and do not conflict with the existing empeg things.
Maybe it would somehow work the way you proposed but I had no success.

Is there really now way to mount, link (e.g mount_union, mount_null) or whatever a directory from outsite the chroot'd environment? (I know the purpose of a chroot'd environment is to jail the user in there)

If you create the /dev/ node inside the chroot cell for the disk partition you want, then you ought to be able to mount it (again) inside there.

Cheers

is it possible to compile this thing static?

I have a copy of all the dev nodes inside.
I can for example unmount /drive1 (/dev/hdc4) and mount it inside the chroot'd environment. This works as expected.
But as much as I know you can NOT mount a partition twice to different mount points withhin the kernel 2.2. (kernel 2.4 allows this)

I don't know if it is possible to compile it static. But even then it uses additional services like pam.
What I do here is not compile the ssh package but use the precompiled debian packages.

Pam is optional -- should be able to eliminate it with a configure flag or something similar.

Pity that 2.2.xx won't allow multiple mounts -- I hadn't noticed that limitation before, and a brief glance at fs/super.c didn't promise much hope of a simple patch to "fix" that limitation.

So, you're back to LD_LIBRARY_PATH again.

EDIT: or you could try some really wretched hack like changing the regular mount location to a point within the chroot tree, and using a symlink to put it back where everything else expects to find it.

cheers

Mount it once, inside the chrooted environment, and symlink the original mountpoint to it

(actually, that's wretched)

Yes, this way it should work. I'll try it tomorrow.
Thanks for all the help.

Short version: rather than trying to secure the empeg (difficult and taxing on its CPU), put it behind a firewall.

Long version:
I'll be worrying about security when I install my carputer. I plan to use it to let me upload music to the empeg while it's still in the car (soon after parking).

Since I don't trust either WEP or WPA for access to my home network, I hacked my WRT54G to be an IPSec endpoint. Now I can VPN from my laptop to the Linksys (I allow others free Internet access, but my home lan is only visible to IPSec clients). The down side is that the Linksys's CPU is so slow that it can only push ~1.5Mbps through an IPSec tunnel (not enough for streaming video from the TiVo to my laptop). I'll soon build another linux box to be a VPN server (likely openvpn).

Also wanting to keep the empeg secure against wardrivers (as I'll have a PC in the trunk with ethernet to the empeg and WiFi), I'll config the carputer to be a firewall too. Then when in range of my home WiFi, it can VPN in (net-to-net) so I can upload new music.

The empeg shouldn't need any modification so no extra CPU or memory usage to slow it down.

Did you mean to ask a question of some kind?

Nope.

Just throwing in my $0.02.

The reason I wanted SSH wasnt for security really. It was for being able to copy files since I couldnt use FTP at my last job..

Happy birthday!

Thank you..