From 9e991b3c26f422370108bd11c66b11b1ebd17d76 Mon Sep 17 00:00:00 2001 From: jebba Date: Fri, 4 Feb 2022 17:35:59 -0700 Subject: [PATCH] generate and use new ssh keys --- README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/README.md b/README.md index ff84b9d..39d4ea4 100644 --- a/README.md +++ b/README.md @@ -134,6 +134,53 @@ total 32 -rw-r--r-- 1 root root 563 Feb 4 23:52 ssh_host_rsa_key.pub ``` +Do the install with the `https://openpilot.comma.ai` URL. Make sure +you have an active SSH connection to the device before doing the install, +or you will lose SSH access. If you do an install and reboot, you lose +SSH access. + + +Note, after OpenPilot is installed, the `/data/params/d/GithubSshKeys` +file is gone. This file needs to be recreated before closing any SSH +sessions, or you will lose access to the device and have to start over. +Instead of using the SHARED ROOT SSH KEY used by the Comma Three, use +a unique SSH key. On the laptop: + + +``` +user@laptop:~$ ssh-keygen -t ed25519 +Generating public/private ed25519 key pair. +Enter file in which to save the key (/home/user/.ssh/id_ed25519): /home/user/.ssh/id_ed25519-comma +Enter passphrase (empty for no passphrase): +Enter same passphrase again: +Your identification has been saved in /home/user/.ssh/id_ed25519-comma +Your public key has been saved in /home/user/.ssh/id_ed25519-comma.pub +The key fingerprint is: +SHA256:IGVxoSP4EGlmBK4gpCTn8oBlMkoVCN1ENWlfx+RK83c user@laptop +The key's randomart image is: ++--[ED25519 256]--+ +|BBOB+.*oo. o. | +|XO*o.oo+ ..o | +|O=+ o.+. .o.. | +|++ o o o.. + | +|. . . S . . . E| +| . . | +| | +| | +| | ++----[SHA256]-----+ + +user@laptop:~$ cat ~/.ssh/id_ed25519-comma.pub +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmI1V0P6dSatrpAgkS9rfmkM1Z1ncAVpHJlLlKrgnTw user@laptop +``` + +Then take that pubkey created above, and recreate the +`/data/params/d/GithubSshKeys` file on the device: + +``` +from="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmI1V0P6dSatrpAgkS9rfmkM1Z1ncAVpHJlLlKrgnTw user@laptop +``` + Another way to do this would be to hijack DNS on your own wifi to intercept the Comma Three's connection to github, then redirect the connection to