Hardware components | ||||||
 |
| × | 1 | |||
Software apps and online services | ||||||
| ||||||
| ||||||
Imagine if you could write an application in a language of your choice, deploy it to Raspberry Pi or a similar device, and that application would be accessible from anywhere securely, and you would not have to do almost anything special to make it happen?
Beame-gatekeeper allows exactly that. You will be access this application using either mobile device, and or in a combination of a mobile device and browser.
Please watch this short demo, to demonstrate the value of the raspberrry pi.
To summarize:
a. You will be able to access HTTP compatible application on your raspberry directly from the ios app
b. You will be able to access it from a browser, using your phone as a credential carrier.
1. To enable SSH demon
sudo systemctl enable && sudo service ssh start
2. Its always good to start any raspberry with a system update & upgrade
sudo update && sudo upgrade
3. Install NodeJs and NPM
curl -sL https://deb.nodesource.com/setup_6.x | sudo bash -
sudo apt-get install nodejs git
npm install beame-gatekeeper -g --unsafe-perm
4. Install mobile app
To start on a raspberry pi, after you have to enable sshd to have to accomplish this you can use the raspi-confi utility, you you can just
Beame-gatekeeper, solves these problems for you:
- (a) secure and encrypted access to devices using standard SSL.
- (b) issuing certs to user's mobile devices
- (c) verification of proof of possession of the mobile based credentials
There is a lot to understand how it all works. In this tutorial, I will try to stay "practical", as to show a few real use cases, as to actually give some real life examples of how you can use it right now, and accomplish truly amazing things, with much less work than you anticipate.
In this tutorial we will focus on remote access, but it can do much more.
How does it work from user experience standpoint?So how does it all work? First from a user perspective?
- (a) Open https://mobile.beameio.net on your iOS device and install the mobile app.
- (b) Go to https://login.beameio.net, choose to try a demo, from text on the left pane, and feed it some unique data (be creative).
- (c) Scan the QR, that will appear, with beame-authenticator app.
d. Once you've seen the green shield, you are ready to try your first real Beame login. Just go back to https://login.beameio.net and scan it (or let your mobile listen to it, if your speaker is open).
How does it happen from auth standpoint?
How does it work from security standpoint?All of Beame tech relies on usage of publicly trusted SSL certs, and a global farm of transparent reverse proxies. These proxies can not open the traffic, as they don't have the keys.
Using Beame credential, we will authorize your additional credentials (it happens automatically in the gatekeeper installation process), without actually knowing who you really are. Then your new-born gatekeeper, with its freshly received certificates, will be able to authorize your mobile devices.
End effect: You don't need to develop your own mobile app, or a clever proxy, you can put together an accessible use case.
- 1) Raspberry Pi or equivalent Linux distro. Gatekeeper uses openssl, git to install, and mysql. Commands in this tutorial are provided with apt-get, but similar can be done on a mac, as well as windows machine (get detailed system requirements on Beame git Readmes).
- 2) IoS device (iPhone, iPad, iPod) with available data plan.
- 3) Some kind of application to set up access to: (a) in this tutorial we will be doing a terminal to a raspberry itself.
Warning! The build on the Pi takes time. For some reason sqlite doesn't provide arm binaries, but no fear, npm should build it correctly.
Get into terminal on your Pi:
This may take some time. -(;
The way we will install this now will setup a new user on the device, and install gatekeeper, underneath that user.
If you have beame-insta-ssl (find how to get it in earlier Beame Hackster projects), then it will use your existing beame-root credential,
Several Options:
Install Beame-Gatekeeper as system serviceEnsure that you are logged as root (admin)
1. Go to registration page.
2. Grab the token from the email, In the email it will say: beame-gatekeeper creds getCreds --regToken 'TOKEN IN BASE64', use just the base64 string, to set your new gatekeeper as system service.
sudo beame-gatekeeper-install-systemd 'TOKEN FROM EMAIL'
Or, in order to install it as a regular application, run in shell next command and proceed with instructions from its output:
beame-gatekeeper creds getCreds --regToken 'TOKEN FROM EMAIL'
Now let's set a new application behind your new Gatekeeper to make it useful. We will set a Wetty terminal emulator that will allow connection to your machine with terminal functionality from your regular web-browser.
Following bash script will create a user called "wetty" and install wetty as system service under that user.
#!/bin/bash
set -eu
: ${WETTY_PORT:=65530}
: ${WETTY_USER:=wetty}
: ${WETTY_GROUP:=wetty}
: ${WETTY_SERVICE:=wetty}
: ${WETTY_SSH_USER:=wetty}
GROUP=$WETTY_GROUP
USER=$WETTY_USER
echo "+ Group $GROUP"
getent group "$GROUP" || addgroup "$GROUP"
echo "+ User $USER"
getent passwd "$USER" || adduser --ingroup "$GROUP" --disabled-password --shell /bin/bash "$USER" </dev/null
homedir=$(getent passwd "$USER" | cut -d: -f6)
chmod 700 "$homedir"
echo "+ Generating SSH key"
su -c 'mkdir -p ~/.ssh; chmod 700 ~/.ssh; [[ -f ~/.ssh/id_rsa ]] || ssh-keygen -t rsa -b 4096 -N "" -C lib-wetty -f ~/.ssh/id_rsa' $WETTY_USER
PKfile="$homedir/.ssh/id_rsa.pub"
FILE="$homedir/.ssh/authorized_keys"
LINE=$(cat $PKfile)
echo "+ Ensuring file $FILE has line $LINE"
if grep -qFx "$LINE" "$FILE";then
echo " + Had it"
else
echo " + Adding"
echo "$LINE" >>"$FILE"
fi
echo "+ Installing wetty"
su -c 'cd && npm install wetty' $WETTY_USER
homedir=$( getent passwd "$WETTY_USER" | cut -d: -f6 )
wetty_host="localhost"
echo "+ Creating $WETTY_SERVICE.service file for Wetty"
cat >/etc/systemd/system/$WETTY_SERVICE.service <<-E
[Service]
Type=simple
User=$WETTY_USER
WorkingDirectory=$homedir
ExecStart=$homedir/node_modules/wetty/bin/wetty.js --port $WETTY_PORT --sshhost $wetty_host --sshport 22 --sshuser $WETTY_SSH_USER --sshauth publickey,password
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
E
echo "+ Enabling the $WETTY_SERVICE service"
systemctl enable $WETTY_SERVICE
echo "+ Reloading systemd"
systemctl daemon-reload
echo "+ Restarting Wetty"
service $WETTY_SERVICE restart
Now you need to get to Admin console of your Gatekeeper. You have 2 options here:
- Create admin token from CLI
Just take the output of following call and paste it to web browser:
beame-gatekeeper-ctl admin
- Use the very first mobile credential (by default the first credential gets Admin access level) to login.
Go to https://login.beameio.net scan the QR and when you've logged into your Gatekeeper, choose <insta server admin app> from list of available applications on your mobile device.
As a result of the last action, you should get in your web-browser your Gatekeeper's Admin Console. Just add your Wetty as application and your browser-based terminal is ready.
Now logout and login again. You must see Wetty in the list. Just tap it and you got it done.
Comments