intel euclid – secure that bugger

This thing is a cool little computer, but it IS a computer, and we don’t want the possibilities of a zombie on our network, OR especially in our robot now do we? Link to wtf I’m talking about here.

Sadly I don’t see any way YET to lock down the default development web page, but will probably stumble my way into something and post on that. The web server appears to be a series of python scripts, so if I can find the config, change ports, and hide it behind a login screen on lighttpd or something I’ll document that out as well.

Step 1, initial setup
first things first, follow the instructions for the basic setup. as of 06/09/2017 running the ubuntu software updater does not appear to break anything (that i’ve seen so far)

step 2, change your passwords.
login via VNC with the default password (euclid) and change the default user’s password via the settings panel
then open a terminal and type the following to change the default VNC password

sudo x11vnc -storepasswd /etc/x11vnc.pass
you will be prompted as below
Enter VNC passwd: [enter new password]
Verify password: [enter the new password again]
Write password to /home/ubuntu/.vnc/passwd? [y]/n y
Password written to : /home/ubuntu/.vnc/passwd

step 3, setup ssh

sudo apt install openssh-server -y

at this point the ssh server should be running and you should be able to login with the euclid user and password

step 4, configure ssh to use public key encryption (semi optional)
I recommend using public key encryption to make the connections, and from the host machine executing the following command will copy your private key over. it MAY complain about the file not existing, and if that happens, just create a blank one at ~/.ssh/ (you may need to create the directory as well)

cat ~/.ssh/ | ssh user@hostname ‘cat >> .ssh/authorized_keys’

after that, make sure to turn off interactive login by adding/changing the following in the /etc/ssh/sshd_config file

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
PasswordAuthentication no
ChallengeResponseAuthentication no

Step 5, restart everything
Either reboot the whole thing, or sudo service <ssh and x11vnc> restart

there ya are, it’s not perfect, but at least it’s not default!