elliot.trance2
Occasional Visitor
TAGS: ss4200, intel, serial, console, freebsd
BETA-Phase
OK: I have tested the semi auto install [post=150305]read this[/post].
It works.
however I'm not totally happy with the result, as I forgot to integrate altering /etc/ttys within my stage2.sh script.
Constructive criticism is appreceated, if you find errors or you dislike certain methods just spit it out, I will not bite, other than that I will thank you. (Except somebody mixes up rudeness and ranting with criticism.)
Table of Contents:
Prerequisites:
Warning:
SCOPE:
What's included what's missing(crypt):
What's included what's missing(serial):
This was "compiled" from the following sources, that actually didn't work that well without the "compiling", so thanks got to:
Tested on:
Hint01: The IDE interface on ss4200 does not support UDMA modes, a fast ATA/IDE hard drive will be very slow, use a sata drive to boot from.
Hint02: Whenever posting dmesg output make sure you remove information about the "Serial Number"(s), as those uniquely identifiy your usb stick or even you.
Hint03: Whenever downloading WinSCP or Filezilla from Sourceforge, download the portable package and not the installer. The filezilla installer contained/contains add ware (5).
I checked the current one no addware was detected anymore, however putting addware into an installer of an open source software is fishy, don't take chances. (yes you can unclick five options to prevent this, but if you fail at one .. you have fun)
Hint04: ZFS on the ss4200 with 1 or 2gb ram and an upgraded CPU will be very slow, and UFS does everything I want.
Hint05: Howto boot the ss4200 from usb stick, a usb stick will be enumerated under "Hard Disk Drives" there you need to set your USB-Stick on the first place, on the ss4200 the usb stick is not seen as a "removable device". You need to repeat that procedure each time you disconnected the usb stick.
Hint06: AES 128 vs 256 - I chose 128bit AES because of performance considerations on the ss4200 and due to the essay by Bruce Schneier(6) detailing AES256 weaknesses. Also the first point of an attack on current crypto systems is the key derivation function PBKDF2(7,8).
Warning: At the moment I'm not really sure if leaving out the random key komponent results in removing the salt from the PBKDF2 which would make it possible to pre generate keys. I will look into that matter an correct the guide or state the facts I found out.
Disclaimer:
Acronyms & special terms
Hashes
sha1 fingerprint of the unaltered img file:
Links
(1) https://www.freebsd.org/doc/handbook/mirrors-ftp.html
(2) http://ss4200.pbworks.com/w/page/5122741/Console Access via RS232
(3) http://sourceforge.net/projects/win32diskimager/
(4) WinSCP
(5) SF/Filezilla/Reviews
(6) Bruce Schneier/AES weakness
(7) Wikipedia/PBKDF2
(8) Open Crypto Audit Project TrueCrypt
0.) Before continueing
BETA-Phase
OK: I have tested the semi auto install [post=150305]read this[/post].
It works.
however I'm not totally happy with the result, as I forgot to integrate altering /etc/ttys within my stage2.sh script.
Constructive criticism is appreceated, if you find errors or you dislike certain methods just spit it out, I will not bite, other than that I will thank you. (Except somebody mixes up rudeness and ranting with criticism.)
Table of Contents:
A.) [post=150279]Install FreeBSD 10.0-RELEASE headless (+ encrypted root optional!)[/post]
B.) [post=150299]prepare a usb thumbdrive (usb stick) with scripts for semi automatic & headless installation[/post]
C.) [post=150300]configure ss4200 & putty to get along[/post]
D.) [post=150301]configure ss4200 to boot from usb-stick[/post]
E.) [post=150305]Using Scripts from Part.C to do Part.A in the blink of an eye
(SEMI AUTOMATIC)[/post]
B.) [post=150299]prepare a usb thumbdrive (usb stick) with scripts for semi automatic & headless installation[/post]
C.) [post=150300]configure ss4200 & putty to get along[/post]
D.) [post=150301]configure ss4200 to boot from usb-stick[/post]
E.) [post=150305]Using Scripts from Part.C to do Part.A in the blink of an eye
(SEMI AUTOMATIC)[/post]
Prerequisites:
- ss4200 is equiped with a RS-232 Port and a 9pin dsub female interface is connected to it, all data lines are connected according to RS-232 standard
- same goes for the PC-side (pc only a usb2serial adapter is allowed)
The steps necessary to install those interfaces can be found on at (2)
This guide assumes that you have the barebone version of the ss4200 without a D.O.M. or compact flash card with an OS built into the system see
Hint01.
I assume that there is a sata hard drive connected to the lowest port number (the cables are labeled)
This will also work with other remote access enabled systems. But the ss4200 seems to be a bit more of a challange, as without a PCIe flex cable and PCIex1 graphics card it's hard to figure out what's really going on.
- same goes for the PC-side (pc only a usb2serial adapter is allowed)
The steps necessary to install those interfaces can be found on at (2)
This guide assumes that you have the barebone version of the ss4200 without a D.O.M. or compact flash card with an OS built into the system see
Hint01.
I assume that there is a sata hard drive connected to the lowest port number (the cables are labeled)
This will also work with other remote access enabled systems. But the ss4200 seems to be a bit more of a challange, as without a PCIe flex cable and PCIex1 graphics card it's hard to figure out what's really going on.
Warning:
The scripts and actions will erase all data on the drive "/dev/ada0". Remove all other drives from the system for installation. Make sure that all data is saved from the drive you intend on installing FreeBSD(not freenas) according to these steps.
SCOPE:
The latter step-by-step-guide will confront the reader with the commands necessary to install FreeBSD using a USB-Stick into an encrypted root and utilize an encrypted swap-partition(defunc atm). The file system used is UFS2 with soft updates. (see Hint04)
Every step is marked with chapter number and the sub step as a letter e.g. "5.h)" means the 8th sub step from chapter 5.
If you have corrections or want to discuss certain steps please refer to these marks.
Those commands are also available in the form of to scripts "stage1.sh" & "stage2.sh", the pre-written config-files too. It should be possible for a "normal" user too get a FreeBSD up and running on a ss4200 using this plug & play manual. I heard from friends in real life that they bought the ss4200 bare bone and giving up. Nowadays the ss4200 is a cheap to buy and cheap to be extended NAS, the only problem is finding a way to install a propper OS on the machine.
The terminal emulator in use is putty on Windows.
After the system is installed you will have a bare minimum OS at your hand with a running ssh-server and an account that can log into the ssh-server and can "su" to "root". You will also be able to connect to the system using an RS232 Null Modem (cross over) cable. Using rs232 you will be directly able to log in as "root" need to configure FreeBSD to act the way you want it (e.g. file server, mail server etc..), this is not covered by this guide. Nor will I provide information on that topic.
Every step is marked with chapter number and the sub step as a letter e.g. "5.h)" means the 8th sub step from chapter 5.
If you have corrections or want to discuss certain steps please refer to these marks.
Those commands are also available in the form of to scripts "stage1.sh" & "stage2.sh", the pre-written config-files too. It should be possible for a "normal" user too get a FreeBSD up and running on a ss4200 using this plug & play manual. I heard from friends in real life that they bought the ss4200 bare bone and giving up. Nowadays the ss4200 is a cheap to buy and cheap to be extended NAS, the only problem is finding a way to install a propper OS on the machine.
The terminal emulator in use is putty on Windows.
After the system is installed you will have a bare minimum OS at your hand with a running ssh-server and an account that can log into the ssh-server and can "su" to "root". You will also be able to connect to the system using an RS232 Null Modem (cross over) cable. Using rs232 you will be directly able to log in as "root" need to configure FreeBSD to act the way you want it (e.g. file server, mail server etc..), this is not covered by this guide. Nor will I provide information on that topic.
What's included what's missing(crypt):
[+] with gpart/gpt
[+] with pass phrase only
[+] with AES-128-XTS
[-] NO HMAC!! .. no data authentification (drawback: will not prevent data tempering), I had performance issues using an HMAC algorithm
[-] without gpart labels
[-] without an additional random encryption key (that would have been stored on your unencrypted /boot anyway)
[-] Your boot loader and kernel will be vulnerable to airport-customs/hotel/evil maid attacks
[-] The effort for infecting a system is lower than using Truecrypt as additional to the boot loader the kernel can be rewritten without you knowing(*)
*I view hacking an open source kernel easier than tinkering all the malicious code into a boot loader[+] with pass phrase only
[+] with AES-128-XTS
[-] NO HMAC!! .. no data authentification (drawback: will not prevent data tempering), I had performance issues using an HMAC algorithm
[-] without gpart labels
[-] without an additional random encryption key (that would have been stored on your unencrypted /boot anyway)
[-] Your boot loader and kernel will be vulnerable to airport-customs/hotel/evil maid attacks
[-] The effort for infecting a system is lower than using Truecrypt as additional to the boot loader the kernel can be rewritten without you knowing(*)
What's included what's missing(serial):
[+] all commands written down into a script
[+] scripts for semi auto install
[-] no auto encrypt install / I think something like that exists for a ZFS/encrypted root setup
[+] scripts for semi auto install
[-] no auto encrypt install / I think something like that exists for a ZFS/encrypted root setup
This was "compiled" from the following sources, that actually didn't work that well without the "compiling", so thanks got to:
http://namor.userpage.fu-berlin.de/howto_fbsd9_encrypted_ufs.html
https://www.dan.me.uk/blog/2012/01/22/using-a-swap-file-instead-of-swap-partition-in-freebsd-8-x9-x/
https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/
https://www.dan.me.uk/blog/2012/01/22/using-a-swap-file-instead-of-swap-partition-in-freebsd-8-x9-x/
https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/
Tested on:
OS-Type : FreeBSD/amd64
OS-Version : 10.0-Release
Word of caution the behaviour of FreeBSD between 8.X, 9.1, 9.2, 9.3 and 10.0 is different, certain ways will work for a specific version, some even won't, when you are using the unaltered .img.
The best way to succeed is to alter the img file by Hand (also covered).
Hints:OS-Version : 10.0-Release
Word of caution the behaviour of FreeBSD between 8.X, 9.1, 9.2, 9.3 and 10.0 is different, certain ways will work for a specific version, some even won't, when you are using the unaltered .img.
The best way to succeed is to alter the img file by Hand (also covered).
Hint01: The IDE interface on ss4200 does not support UDMA modes, a fast ATA/IDE hard drive will be very slow, use a sata drive to boot from.
Hint02: Whenever posting dmesg output make sure you remove information about the "Serial Number"(s), as those uniquely identifiy your usb stick or even you.
Hint03: Whenever downloading WinSCP or Filezilla from Sourceforge, download the portable package and not the installer. The filezilla installer contained/contains add ware (5).
I checked the current one no addware was detected anymore, however putting addware into an installer of an open source software is fishy, don't take chances. (yes you can unclick five options to prevent this, but if you fail at one .. you have fun)
Hint04: ZFS on the ss4200 with 1 or 2gb ram and an upgraded CPU will be very slow, and UFS does everything I want.
Hint05: Howto boot the ss4200 from usb stick, a usb stick will be enumerated under "Hard Disk Drives" there you need to set your USB-Stick on the first place, on the ss4200 the usb stick is not seen as a "removable device". You need to repeat that procedure each time you disconnected the usb stick.
Hint06: AES 128 vs 256 - I chose 128bit AES because of performance considerations on the ss4200 and due to the essay by Bruce Schneier(6) detailing AES256 weaknesses. Also the first point of an attack on current crypto systems is the key derivation function PBKDF2(7,8).
Warning: At the moment I'm not really sure if leaving out the random key komponent results in removing the salt from the PBKDF2 which would make it possible to pre generate keys. I will look into that matter an correct the guide or state the facts I found out.
Disclaimer:
You are responsible for your own actions and errors and bear all consequences. Even careful testing off the method statement will not prevent all errors. Use at your own risk.
Acronyms & special terms
"su" - "substitute user identity" - command to change the user and gain its rights FreeBSD/man su(1)
"root" - "root user" - the root user can do everything on the system, but will be prohibited from directly loggin in using ssh or an insecure shell Wikipedia/Superuser
"ssh" - Secure SHell - a method to connect to a shell over a network onto a system using a cryptographic secured communication Wikipedia/SSH
"RS-232" - standardized serial interface Wikipedia/RS-232
"putty/PuTTY" - is a client for ssh Wikipedia/PuTTY
"HMAC" - Hash-based message authentication code - Wikipedia/HMAC
"vi(m)" - simple small text editor included within the basic FreeBSD distribution - Wikipedia/vi
"root" - "root user" - the root user can do everything on the system, but will be prohibited from directly loggin in using ssh or an insecure shell Wikipedia/Superuser
"ssh" - Secure SHell - a method to connect to a shell over a network onto a system using a cryptographic secured communication Wikipedia/SSH
"RS-232" - standardized serial interface Wikipedia/RS-232
"putty/PuTTY" - is a client for ssh Wikipedia/PuTTY
"HMAC" - Hash-based message authentication code - Wikipedia/HMAC
"vi(m)" - simple small text editor included within the basic FreeBSD distribution - Wikipedia/vi
Hashes
sha1 fingerprint of the unaltered img file:
Code:
SHA1 (FreeBSD-10.0-RELEASE-amd64-memstick.img) = abf120c10f51372f7d5aabb04cf5cbaef5dbbabf
Links
(1) https://www.freebsd.org/doc/handbook/mirrors-ftp.html
(2) http://ss4200.pbworks.com/w/page/5122741/Console Access via RS232
(3) http://sourceforge.net/projects/win32diskimager/
(4) WinSCP
(5) SF/Filezilla/Reviews
(6) Bruce Schneier/AES weakness
(7) Wikipedia/PBKDF2
(8) Open Crypto Audit Project TrueCrypt
0.) Before continueing
Before you continue with part A.) please make sure that you have puTTY up and running and that you see the bios post messages from your ss4200 in your terminal window. If you don't have that level of control, please read part D. how to gain it). You will also need to make sure that the bios will boot from the usb stick first if it doesn't follow part E.)
Last edited: