Difference between revisions of "Install SSH"

From AwkwardTV
Jump to: navigation, search
m (Step 2)
m (Step 2)
Line 15: Line 15:
 
Make sshd start automatically on boot. If you have the AppleTV disk mounted on a Mac, it's easy:
 
Make sshd start automatically on boot. If you have the AppleTV disk mounted on a Mac, it's easy:
 
<pre>
 
<pre>
cp -p System/Library/LaunchDaemons/ssh.plist /Volumes/OSBoot/System/Library/LaunchDaemons/
+
cp -p /System/Library/LaunchDaemons/ssh.plist /Volumes/OSBoot/System/Library/LaunchDaemons/
 
defaults delete /Volumes/OSBoot/System/Library/LaunchDaemons/ssh Disabled
 
defaults delete /Volumes/OSBoot/System/Library/LaunchDaemons/ssh Disabled
 
</pre>
 
</pre>

Revision as of 01:06, 2 June 2007

<Google>WIKI</Google>

These instructions are for installing ssh on the Apple TV from an Intel Mac (if you don't have an Intel Mac, you need to find another source for sshd, such as http://darwinsource.opendarwin.org/Roots/OpenSSH-56.root.tar.gz and http://darwinsource.opendarwin.org/Roots/OpenSSL-26.root.tar.gz - please verify that those work). You need to remove the Apple TV's hard drive and mount it using some sort of firewire or usb enclosure, perform the below steps, and then reinstall the drive. It is not necessary to disable the firewall (see Disable Firewall).

Changed 2007-06-01: You also can use ssh v2 now. (This was formerly a problem; see section 4.)

Step 1

Copy sshd from your Intel Mac, to your AppleTV (you have to use an Intel-compiled version). For example:

cp -p /usr/sbin/sshd /Volumes/OSBoot/usr/sbin/

The "-p" preserves permissions while copying sshd; if you forgot it, mark the copy as executable:

chmod +x /Volumes/OSBoot/usr/sbin/sshd

Step 2

Make sshd start automatically on boot. If you have the AppleTV disk mounted on a Mac, it's easy:

cp -p /System/Library/LaunchDaemons/ssh.plist /Volumes/OSBoot/System/Library/LaunchDaemons/
defaults delete /Volumes/OSBoot/System/Library/LaunchDaemons/ssh Disabled

Otherwise, create a text file /Volumes/OSBoot/System/Library/LaunchDaemons/ssh.plist containing:

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
	 <key>Disabled</key>
	 <false/>
         <key>Label</key>
         <string>com.openssh.sshd</string>
         <key>Program</key>
         <string>/usr/libexec/sshd-keygen-wrapper</string>
         <key>ProgramArguments</key>
         <array>
                 <string>/usr/sbin/sshd</string>
                 <string>-i</string>
         </array>
         <key>SessionCreate</key>
         <true/>
         <key>Sockets</key>
         <dict>
               <key>Listeners</key>
                 <dict>
                         <key>Bonjour</key>
                         <array>
                                 <string>ssh</string>
                                 <string>sftp-ssh</string>
                         </array>
                         <key>SockServiceName</key>
                         <string>ssh</string>
                 </dict>
         </dict>
         <key>StandardErrorPath</key>
         <string>/dev/null</string>
         <key>inetdCompatibility</key>
         <dict>
                 <key>Wait</key>
                 <false/>
         </dict>
 </dict>
 </plist>

Step 3

Log in like this:

ssh -1 frontrow@AppleTV.local

Password "frontrow"

  • If you are on a windows machine, use Putty to connect.
    • Under connections -> ssh, there is an option for "1 only". Use this.
    • You may need to connect by IP address instead of by name if you do not have Bonjour installed.
  • Note: user "frontrow" has sudo privileges. The password for sudo is "frontrow".

Step 4 - Creating Host Keys and Making ssh2 Work

The reason ssh v2 does not work when using the 10.4.x sshd binary is that sshd is trying to use the Kerberos framework, but there is only some sort of stub framework shipped on the AppleTV.

The fix for this is easy. Copy /System/Library/Frameworks/Kerberos.framework from your Intel Mac to your AppleTV. You can back up the stub framework first, though there's little point to that since you can always get it back out of the system recovery volume too.

For example (this is all ONE line, even if it appears split on the web):

tar cf - /System/Library/Frameworks/Kerberos.framework | ssh -1 appletv.local "(cd / ; tar xf -)"

You can of course also use ftp, sftp, or afp/smb filesharing if you already have those set up, too.

The rest of this section is no longer useful and should not be followed, but I'm leaving it in place for now, in case someone finds some other problem with the stock sshd and can't figure it out. (You don't even have to make ssh keys, as OS X will create them the first time you use ssh if they don't already exist.)



As noted copying the sshd binary from a 10.4.9 install will only support version 1 of the ssh protocol. To enable ssh2, and create your host keys, follow these steps.
This is written assuming you already have ssh1 shell access to the device.

  1. Download the ssh package listed above from here http://darwinsource.opendarwin.org/Roots/OpenSSH-56.root.tar.gz and extract usr/sbin/sshd from the package.
  2. scp this file over to the ATV with the following command
    scp -1 sshd frontrow@<your ip address>:
  3. Log in to the ATV and remount the root partition as read write.
    -bash-2.05b$ sudo mount -o rw,remount /dev/disk0s3 /
  4. Backup the existing sshd
    -bash-2.05b$ sudo mv /usr/sbin/sshd /usr/sbin/sshd.old
  5. Move the new sshd binary to /usr/sbin
    -bash-2.05b$ sudo mv /Users/frontrow/sshd /usr/sbin/sshd
  6. Again change the sshd file classification from Document type to a UNIX shell script.
    -bash2.05b$ chmod +x /usr/sbin/sshd
  7. Generate the rsa key - Do not use a passphrase
    -bash-2.05b$ sudo ssh-keygen -t rsa -f /etc/ssh_host_rsa_key
  8. Generate the dsa key - Do not use a passphrase
    Note: this can be / is a bit slow on the ATV; be patient.
    -bash-2.05b$ sudo ssh-keygen -t dsa -f /etc/ssh_host_dsa_key
  9. Generate the rsa1 key - Do not use a passphrase
    -bash-2.05b$ sudo ssh-keygen -t rsa1 -f /etc/ssh_host_key

Note: You may need to create a sshd_config file in /etc for this to work. The file can be empty.

Step 5 - Logging in without a password

  1. It's assumed all prevous steps are completed.This section only works for a Mac, windows users should investigate Pagent, a program that comes with Putty. First create a special directory on the ATV for your keys.
 -bash-2.05b$ mkdir ~frontrow/.ssh
 -bash-2.05b$ chmod 700 ~frontrow/.ssh
  1. Add a key to the authorized_keys file and protect the file. SSH checks the permissions of this file very carefully.
 -bash-2.05b$ cat /etc/ssh_host_rsa_key.pub > ~frontrow/.ssh/authorized_keys
 -bash-2.05b$ chmod 600 ~frontrow/.ssh/authorized_keys
  1. Display the full private key and copy the text to the clipboard. You'll see something like
 -bash-2.05b$ sudo cat /etc/ssh_host_rsa_key
 -----BEGIN RSA PRIVATE KEY-----
 MIIEogIBAAKCAQEAtPQlIYRKBPxrZjiXKjLX7uR6gRxCvkV8S09H1f8SLmVRoyfT
 chMGdMCwVgv+stf7gc1mW6aYVqSV7DMo4HCN7uFQwGRt0/qxdgCVesN60tugnEM9
 ..lots more stuff here..
 UvxgQ1ahS+82mHd8XNDOXmMEEIE0mOffga35ADyisZfBql+yED6xXzOOw9/vfP3q
 UrmG68Mwv18Wz0unZGt1NSwsw/6ITSGKN3iTr+w4zcEpGK6liJw=
 -----END RSA PRIVATE KEY-----
  1. Still on the ATV, remount the root partition read only.
    -bash-2.05b$ sudo mount -o ro,remount /dev/disk0s3 /
  2. On your Mac in a terminal window run nano -wci ssh_host_key and paste in the clipboard text. Press Ctrl-x to save and exit
  3. Change the permissions on this new file:
 chmod 700 /path_to_file/ssh_rsa_key
  1. Test your mod before logging out of the ATV by opening a new connection to the device. running this should not require a password, if it does check the permissions on your ATV .ssh directory, authorized_keys file and the key file on the Mac, all shoule be 600 or 700.
ssh -i /path_to_file/ssh_rsa_key frontrow@192.168.1.24 
  1. If you get something like this then just delete the known_hosts file
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
 Someone could be eavesdropping on you right now (man-in-the-middle attack)!
 It is also possible that the RSA host key has just been changed.
 The fingerprint for the RSA key sent by the remote host is
 7a:24:c9:75:cb:15:0f:8a:5c:1a:72:81:e2:25:f4:c2.
 Please contact your system administrator.
 Add correct host key in /Users/nsc/.ssh/known_hosts to get rid of this message.
 Offending key in /Users/nsc/.ssh/known_hosts:1
 RSA host key for 192.168.1.17 has changed and you have requested strict checking

Alternate Keygen Method (seems less complicated to me)

As an alternate method for setting up passwordless login, you can create the rsa key on your local machine and copy it to the AppleTV. Here are the steps I found on Dreamhost's wiki, which I've tried and can confirm it works with AppleTV, assuming you have already installed OpenSSH-56 as described above.

These steps would take over starting with item 7 in Step 4 above:

First generate an RSA key pair on your computer. Note if you have ever generated RSA keys before, i.e. for passwordless login to other SSH servers, you can skip this step.

ssh-keygen -t rsa

It will prompt you for three things, hit enter to accept the default on all three.

Next, copy your public key to your AppleTV.

scp ~/.ssh/id_rsa.pub frontrow@AppleTV.local:~/

Then ssh to your account (using your password "frontrow"):

ssh frontrow@AppleTV.local

Next, you'll make an .ssh directory on your AppleTV and create an "authorized_keys" file and move your public key into it.

mkdir .ssh
cat id_rsa.pub >> .ssh/authorized_keys
rm id_rsa.pub

Then make sure permissions are set properly for all necessary files and directories:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

If everything is configured properly, you should be able to access your AppleTV through SSH without a password now!

For more information, see the man pages for ssh, ssh-keygen, and sshd.