MJ Blog

Just a little blog about my Raspberry Pi experiences

Making SSH Available in Environments With Http(s)-proxies

If you are in networks with internet access only through proxies, you should try tunneling SSH through SSL. Stunnel is made for this purpose.

So let us install Stunnel4:

sudo apt-get install stunnel
mkdir -p /var/run/stunnel4
sudo chown stunnel4:stunnel4 /var/run/stunnel4
vi /etc/stunnel/stunnel.conf

Configuring the server

Change its config to:

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

client=no
cert=/etc/stunnel/stunnel.pem
debug=3
sslVersion = all
output=/var/log/stunnel4/stunnel.log
[sslssh]
accept=192.168.2.42:10443
connect=localhost:22

Do not forget to change the IP address in the “accept=” line

This allows connecting to port 10443 with SSL and redirects traffic from and to port 22 (SSH). You could also enter any other host and port as target which is reachable from the stunnel host. I assume you are able to configure the port forwarding in your router yourself

Create the certificate and convert it for use with stunnel:

openssl req -new -x509 -keyout st-key.pem -out st-csr.pem -days 1000 -nodes
sudo "echo | cat st-csr.pem - st-key.pem > /etc/stunnel/stunnel.pem"

Configuring the client

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

client=yes
cert=/etc/stunnel/stunnel.pem
debug=3
sslVersion = all
output=/var/log/stunnel4/stunnel.log
[ssh]
accept = localhost:10443
connect = PROXY_IP:80
protocol = connect
protocolHost = REMOTE_IP:443

You have to enter the correct IP addresses again. I suggest using no-ip.com or any other DynDNS provider if REMOTE_IP ist dynamic.

Starting the services

If everything is configured, use

sudo /etc/init.d/stunnel4 start

After successful configuration you are able to connect to the remote SSH machine with

ssh localhost:10443

Having trouble?

If the connection fails it is possible, that your firewall or proxy blocks SSL-requests without User-Agent Header set. I am using proxytunnel on the client side to circumvent this “feature”:

sudo apt-get install proxytunnel

Change your ~/.ssh/config

Host REMOTE_NAME 
        ProxyCommand proxytunnel -q -e -p PROXY_IP:80 -d REMOTE_IP:10443 -H "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1\n"
        ProtocolKeepAlives 30
        User pi

To connect the remote system:

ssh REMOTE_NAME

Simple? :)

Further Configuration

The next day was only for configuration and bugfixes. I installed rpi-update to update my firmware and address issues with the network interface. It stopped responding at medium to heavy load at random times. According to posts in the Pi forums there seems to be an issue with the NIC if there are USB devices plugged in external hubs. But I didn’t have any of those hubs attached so it had to be a similar problem. Luckily, I am a flash-oholic and push new firmware to my mobile devices (HTC Desire HD and Asus Transformer TF101) as soon as possible. So it was no problem for me to update the kernel and start.elf files with the script from Hexxehs repository. It worked at the first try with a little error, which could be ignored:

"/opt/vc/sbin/vcfiled: error while loading shared libraries: libvchiq_arm.so: cannot open shared object file: No such file or directory"

After the reboot my network stayed online until now. But when I am downloading some data from the internet I still have a huge amount of errors in my kernel messages.

smsc95xx 1-1.1:1.0: eth0: kevent 2 may have been dropped

I have really no idea how to fix it, so i will wait for future updates.

Another problem with the Pi is its limited amount of RAM. It has 256 MB on board, but the default configuration uses 64 MB for the GPU, that gives applications and the system only 192 MB of RAM. I thought my networking problems could be caused by a lack of memory but they did not. To get more free space, I tried to use a bigger SD card. My Sandisk Extreme Video HD 4GB did not work. The system didn’t boot and threw no errors on the screen. So I ordered a new Transcend Extreme-Speed SDHC 16GB Class 10 which was confirmed as working in the wiki. I transferred my old SD card contents to the new one with dd.

The first boot with the new card was very fast. But there was more work to do. As it still was sized like the original image, the root partition was only 1.6 GB and wasted 14 GB of space. I had trouble resizing the partitions with the many tutorials. At last I used my own way to change the root partitions size. I cannot repeat every single step I took, but I have some tips for you: Partition as you like BUT:

  • DO NOT remove the first partition
  • DO NOT change the start of the second partition
  • you CAN remove the swap partition as it is disabled
  • DO NOT forget to run sudo resize2fs /dev/mmcblk0p1 after the reboot

Follow the tips unless you know what you do.

After some filesystem checks I was able to use all of the space. I made a swap file and turn it on manually. I know this will damage my SD card over the time, but for now I am ok with it. I wnat to used two python applications which will used a more-than-usual amount of RAM.

sudo dd if=/dev/zero of=/var/swapfile count=128 bs=1M
sudo mkswap /var/swapfile
sudo swapon /var/swapfile

Perhaps this is bad style or there are easier ways but it worked. Typical output from top after 2 days uptime:

Mem:    190536k total,   179516k used,    11020k free,    17764k buffers
Swap:   131068k total,    10052k used,   121016k free,    57304k cached

Starting Up

After taking a Photo from my RPi, I took my first steps. I downloaded the Debian Squeeze Image and deployed it to my tiny 2GB card.

sudo dd if=/tmp/debian6-19-04-2012.img of=/dev/mmcblk0 bs=1M

Quite easy! So I inserted the card into the RPi, connected the Pi via Ethernet to my notebook, took my old Nokia Micro-USB Charger supplying 1200 mA and powered it the first time. But that would have been to simple. I could neither connect via the hostname “raspberrypi” nor via any IP address. I did not put the Pi into my existing Network and did not like to configure any additional DHCP services. Only solution was (I thought!) to plug an USB keyboard and try to configure the network interface blindly. I could not attach any monitors because my TV in another room is the only device with HDMI inputs :(

With the network correctly configured, my ping requests were finally answered by the Pi. But I still couldn’t connect via SSH. The almighty google search revealed that SSH is disabled on Raspberry Pi Debian images. Still typing blindly I tried

sudo service ssh start

and it worked!

The next step was to configure the network in /etc/network/interfaces to a fixed IP:

auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.2.42
    netmask 255.255.255.0
    gateway 192.168.2.1

and to enable SSH at boot:

mv /boot/boot_enable_ssh.rc /boot/boot.rc

Tried to reboot and after a minute I could login via SSH. You should definitely change the default password to something more secure with

passwd

With SSH working I felt quite happy and plugged it in my switch in the other room. I also wanted to have the console on my TV and used an HDMI cable. After the bootup I issued

startx

to look at the LXDE interface. It was started in a few seconds, but I did not use it a lot. The browser worked, but was slow as hell. And with no mouse attached it was no fun. I wasted some hours with configuring and testing x11vnc and vlc. I mounted a network share with a test movie in it and tried to play it. It made me sad. Very sad. Neither the 480p xvid nor any 720p mkv played smoothly. The opposite happened. It was like a slideshow with one frame per second. I was unwilling to search for another lightweight video player and it was not my primary use case to make my Raspberry Pi a media station. This was the point I decided to remove all graphical components after the updates. At a later time I will try it again with Raspbmc when it reaches a stable state.

df -h

I had only 30 MB of space after the necessary updates:

sudo apt-get update
sudo apt-get upgrade

There were 42 updates to install but my RPi died on downloading the packages without any errors. It just froze completely. After the reboot downloading and installing the packages was successful.

sudo apt-get remove lxde

The removal took some minutes because of the dependencies also being removed. Afterwards I had almost 200 Megs of free space. This was day 1 of playing with the Raspberry Pi.

Ordering the Pi

On February 29th 2012 early in the German morning, the Raspberry Pi killed both websites taking orders. I was able to register at rs-online.com and express my demand in the Pi. In the mid of May I got an invitation to the exclusive Raspberry Pi shop at RS. Delivery was announced to start on June 7th or later. But: Surprise! On May 31st my Pi was on its way from Birmingham and 25 hours later I had it in my hands. I was happy but it started to get painful. More later…