From 2631c8be2147e01ece075b93b8c432d8e2d2104f Mon Sep 17 00:00:00 2001 From: A Holt Date: Fri, 16 Oct 2020 20:32:08 -0400 Subject: [PATCH] Update iiab-admin/README.rst --- roles/iiab-admin/README.rst | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/iiab-admin/README.rst b/roles/iiab-admin/README.rst index c905af11f..e41278633 100644 --- a/roles/iiab-admin/README.rst +++ b/roles/iiab-admin/README.rst @@ -26,18 +26,18 @@ Configure user 'iiab-admin' * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin** * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password. * If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml `_ (preferably do this prior to installing IIAB!) - * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics `_, `/usr/bin/iiab-hotspot-on `_, `iiab-check-firmware `_, etc!) + * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <../network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <../firmware/templates/iiab-check-firmware>`_, etc!) * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration `_ manually. Security -------- * A user MUST be a member of at least one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin) - #. ``iiab-admin`` (specified by ``admin_console_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml `_) + #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml `_) #. ``sudo`` * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md -* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml `_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security -* Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml `_) is implemented in `/etc/profile.d `_ (and `/etc/xdg/lxsession/LXDE-pi `_ when it exists, i.e. on Raspberry Pi OS with desktop). +* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to faciliate remote community support. Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security +* Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d `_ (and `/etc/xdg/lxsession/LXDE-pi `_ when it exists, i.e. on Raspberry Pi OS with desktop). Example ======= @@ -53,19 +53,19 @@ Historical Notes * We no longer support setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("", "$6$<salt>")'`` (or the Python 3 equivalent, ``python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'``) as these are very cumbersome — and worse, exposing your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_. [October 2020] * The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are similarly no longer recommended, so that your IIAB faces fewer security risks. [October 2020] -Tools to facilitate Remote Support ----------------------------------- +Remote Support Tools +-------------------- -The iiab-diagnostics and OpenVPN options mentioned can greatly help you help your community, typically during the implementation phase of your project, even if Linux is new to you. +The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN <https://en.wikipedia.org/wiki/OpenVPN>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you. -Similarly, `/opt/iiab/iiab/roles/iiab-admin/tasks/access.yml <tasks/access.yml>`_ adds a couple text mode tools, very helpful at a distance with expensive / low-bandwidth connections: +Similarly, `access.yml <tasks/access.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections: * `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_ * `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_ -*More great tools to help you jumpstart community work at a distance:* +*More great tools to help you jumpstart community action at a distance:* -http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?" +* http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?" Admin Console -------------