Troubleshooting via Remote Access

Troubleshooting via Remote AccessEdit

Requirements

• bootable SG: the SG must at least be able to boot.  If necessary, this can be done with the micro SD
  imaging card installed.
   
• stable power: ideally an AC adapter, so that the SG can remain powered up for however
  long it takes to troubleshoot.
   
• ethernet port: either a wall jack or a spare port on the back of a router.  This port must be live, and must
  not require a login in order to use it.   To test this:
  • disable your computer's wireless adapter
     
  • connect your computer to the wired network
     
  • open a web browser at https://archived.sensorgnome.org
     
  • if you had to provide a login, or if you cannot get to sensorgnome.org,
    then this internet connection will not work for remote troubleshooting an SG.
     
• outgoing port 59022 open: if an internet firewall is present, it must permit outgoing connections to port 59022 at
  sensorgnome.org (131.162.131.200) .  This requirement is very weak - we have yet
  to see an internet set-up where it was not already met.
   
• ethernet cable

Set up

1. power off the SG 
    
2. plugin in ethernet cable to the port on the beaglebone and the wall or router jack
    
3. insert imaging card only if needed:  if the SG does not reboot without the imaging micro SD card, insert this card.
    
4. power on the SG  (but do not hold down the boot button on the beagleobone circuit board)
    
5. send us an email message at jbrzusto AT fastmail DOT fm informing us that you've set up
   the SG for remote access.  We're in the Atlantic timezone (GMT - 3 or 4, depending on DST).

How it works

• when first powered up with an ethernet connection (e.g. when built at compudata.ca ), the
  SG establishes an outgoing secure shell (SSH) connection to a dedicated SSH server at sensorgnome.org,
  which listens on port 59022.  Login proceeds with a public/private key pair that is part of the
  SG software image.
   
• the SG registers itself and receives a new, unique pair of keys, then disconnects.  It will use the new
  keys for subsequent connections to our server.
   
• after approximately 5 minutes, the SG will re-establish an outgoing SSH connection to sensorgnome.org:59022,
  this time using its unique keys
   
• the new connection maps a port on our server to the secure shell port (22) on the SG.  This permits us to
  login to your SG, and diagnose problems.

Is it secure?

• SSH is a standard method of establishing secure communications between computers over an untrusted network, and we use
  the openssh implementation found in the debian linux distribution.  (The same implementation is used in ubuntu linux.)
   
• by default, the SG ssh server is locked down:
  • a user attached to the SG via USB cable can login to that SG via password.  But this user presumably has physical
    possession of the SG, and so can do whatever they want with it anyway (e.g. reboot with a custom SD card)
     
  • no incoming ssh connection is accepted from the ethernet connection
     
  • the SG web interface is available only from the USB connection, or from the ssh server itself
     
• the connection between the SG and our server can only be established from the SG; our server cannot initiate a connection (and would have
  no idea where to look for your SG in any case)
   
• no incoming ports need to be opened on your internet firewall
   
• only sensorgnome.org administrators and their delegates are able to view and use the remote connection once it is established.  This currently
  consists of:
  • Phil Taylor and John Brzustowski at Acadia University
  • Stu Mackenzie at Bird Studies Canada (manager of motus-wts.org)
  • an employee of compudata.ca, who uses the web interface only for
    testing newly-built units.
     
• the remote connection disappears as soon as the SG is disconnected or powered off.  There are no "doors left open".