Hardening your Pinebook Pro

e-minguez · 11-25-2019, 03:27 AM

I think one of the best improvements with regards security would be to deliver images with disk encryption enabled. The password can be a default one then force users to change it...

**Arwen** · 11-25-2019, 06:11 AM

@e-minguez, Lets make it clear to others, full disk encryption is "at rest". Meaning if an attacker / cracker gets in via network while the Pinebook Pro is booted, the full disk encryption does nothing to stop them from copying / damaging any file they can. (What I mean by any file they can, is if they got in as a normal user, they can only copy / damage files a normal user has access to.)

While I intend to use root OS encryption as well as swap encryption, normal hardening attempts to prevent remote access. Far more common loss of data compared to physical theft today.

Last, full disk encryption does not stop someone with physical access to the computer, (even if powered off), if they have the password. Or can guess it. (And in the case of hostile govenment agents, beat it out of the owner.)

**Arwen** · 12-07-2019, 02:56 PM

One other thing that probably should be done, is re-create the host SSH keys. SSH host keys should be unique per host. From what I can tell, the default Debian comes with host SSH keys already created from July 11, 2019;

Code:
# ls -l ssh_host_*

-rw------- 1 root root  668 Jul 11 16:55 ssh_host_dsa_key

-rw-r--r-- 1 root root  609 Jul 11 16:55 ssh_host_dsa_key.pub

-rw------- 1 root root  227 Jul 11 16:55 ssh_host_ecdsa_key

-rw-r--r-- 1 root root  181 Jul 11 16:55 ssh_host_ecdsa_key.pub

-rw------- 1 root root  411 Jul 11 16:55 ssh_host_ed25519_key

-rw-r--r-- 1 root root  101 Jul 11 16:55 ssh_host_ed25519_key.pub

-rw------- 1 root root 1675 Jul 11 16:55 ssh_host_rsa_key

-rw-r--r-- 1 root root  401 Jul 11 16:55 ssh_host_rsa_key.pub

Plus, remove the in-secure DSA host key.

Here is how to do it.
As user "root", simply run the following commands. If you like, you can put the hostname in the comment, like "MyHost rsa hostkey".

Code:
cd /etc/ssh

rm ssh_host_*

ssh-keygen -t 4096 -t rsa -C "rsa hostkey" -f ./ssh_host_rsa_key

ssh-keygen -t 521 -t ecdsa -C "ecdsa hostkey" -f ./ssh_host_ecdsa_key

ssh-keygen -t ed25519 -C "ed25519 hostkey" -f ./ssh_host_ed25519_key

Note that you will be asked for a passphrase. Per SSH manual page, host keys must have an empty passphrase. Simply hit return when prompted, (twice per key).

ElektromAn · 12-09-2019, 11:07 AM

Maybe there is a "bug" in the default debian image.
Normally host keys are generated at first boot with a clean image aka without *any* hostkeys.

Also please disable PAM in sshd.config, (I don't trust PAM modules)
after you have copied your pubkeys on your computer.

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Upgrading Armbian from v24.2.1 gnome, breaks pinebook pro	Sb2024	0	144	11-10-2024, 02:50 PM Last Post: Sb2024
	Pinebook pro won't boot after bootloader installation	jwensouls	4	1,002	08-21-2024, 04:17 AM Last Post: KC9UDX
	[Pinebook Pro/Mobian/XFCE4] can fix touch or screen in greeter not both	SynthGal	0	413	05-31-2024, 09:42 AM Last Post: SynthGal
	Debian on Pinebook Pro	u974615	7	2,934	03-31-2024, 10:11 AM Last Post: u974615
	Pinebook Pro upgrading from the factory image	yamsoup	12	4,258	02-22-2024, 04:02 PM Last Post: tllim
	Help installing Manjaro on eMMC of Pinebook Pro	pine4546464	4	3,282	12-13-2023, 07:22 PM Last Post: trillobite
	Need Help Recovering Manjaro /boot Contents on Pinebook Pro	calinb	6	3,559	12-11-2023, 03:47 AM Last Post: calinb
	Gentoo on Pinebook Pro RELEASE	jannik2099	54	104,308	12-08-2023, 11:25 PM Last Post: tllim
	Boot Order in Pinebook Pro	food	8	2,730	11-23-2023, 07:37 AM Last Post: KC9UDX
	PineBook Pro seems to go to deep sleep, but doesn't wake up	pogo	11	7,513	08-31-2023, 04:20 PM Last Post: TRS-80

Login




Remember me Lost Password?

About Us