SSH on Mac OS X for Worry-Free Wirelessby Derrick Story and Rob Flickenger
Network security for projects such as webcam broadcasting isn't as much of an issue when your device is hard-wired into the desktop computer sitting on your office desk. But if you set up a wireless transmitter using an 802.11b network as described in my last article, The Industrial-Strength Wireless Webcam, you need to evaluate your environment and establish the appropriate level of security.
Once you start sending private data over the radio waves, such as your FTP user name and password, you are increasing the likelihood that some unauthorized snoop can "listen in" and grab your data.
In most home 802.11b situations, I still believe that the combination of common sense and the use of WEP provides you with the security you need for broadcasting to your hobby Web site. But what if you want to use a webcam in public and send images to a business site? Certainly you don't want to take a chance on compromising security.
In situations like this, the Unix underpinnings of Mac OS X begin to show their value. In this article, I'm going to suggest a safe solution for broadcasting your webcam images, or any other data for that matter, using the Terminal application in Mac OS X to establish a secure connection with your Web server.
Since we're talking Unix here, these techniques will work in any command line environment capable of using SSH, and we're definitely not limited to using Mac OS X for this project. So let's pop the hood and get to work.
A few words about SSH and SCP
|Do those of you who have some experience using pico and Mac OS X have any additional pointers?|
SSH Secure Shell is a protocol for secure remote logins. Its key function is to prevent hackers from stealing passwords that give them unauthorized access to Web sites. SSH does this by encrypting the data (including passwords) to eliminate eavesdropping. It connects to the specified hostname, making the user prove his/her identity to the remote machine.
Once the SSH connection is established, SCP (secure copy) copies files between hosts on a network. It uses SSH for data transfer, and uses the same authentication by asking for passwords or phrases.
Mac OS X users can set up these secure connections via the Terminal application. If you haven't worked with command lines before, I suggest that you you practice first by building a couple of basic scripts. You can get more information on this from a variety of places, such as the Project Freedom Web site, or via downloadable PDFs such as Griffman's Terminal Guide. Once you're comfortable with the Terminal application, then you're ready to set up a SSH session.
Basic steps for establishing a secure wireless session with a Mac OS X client
The process for establishing secure transmission of webcam images on a public wireless network is:
- Create a directory on your local drive and tell CoolCam to send the captured images to that directory.
- Generate an
sshpublic/private key pair.
- Set up the
sshdirectory on the Web server, and copy the new public key to it.
- Test a secure copy to ensure everything is working properly.
- Set up a
cronjob so that your images are are automatically sent from the local directory to the server in regular intervals.
- Disable the
crononce your webcam session is over.
Setting up your secure session on Mac OS X
Once you have the webcam software saving to a file in the filesystem, you're ready to set up
ssh for public key operation. Both
scp use the same keys to do their work, so once
ssh is set up,
These steps assume that you don't have any other keys present on your Web server. If you do, then you already know what you're doing, and don't need this article... =)
1) Generate a new key:
rob@entropy$ ssh-keygen -d Generating public/private dsa key pair. Enter file in which to save the key (/home/rob/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/rob/.ssh/id_dsa. Your public key has been saved in /home/rob/.ssh/id_dsa.pub. The key fingerprint is: 33:3c:5c:41:98:1b:fc:f5:9e:69:56:2e:0b:f1:24:7f rob@entropy
-d option specifies DSA keys (instead of RSA keys). The
ssh v2 protocol uses DSA keys, and is widely regarded as more secure than v1.
* After entering the command, hit enter three times (to take the default filename, and to enter no passphrase.)
* Congratulations. Your public and private keys are now saved to
2) Copy the key to your Web server:
rob@entropy$ scp ~/.ssh/id_dsa.pub www.mydomain.net:.ssh/authorized_keys2
* At this point, if you've never used
ssh from your OS X box before, you'll be prompted to verify the fingerprint of the server's key. Answering "yes" will save the server's fingerprint in a local cache. Should the fingerprint ever change,
scp) will sound an alarm, as this could be an indication of a man-in-the-middle attack in progress.
* You will be prompted for your password on the Web server. Enter it, and the key file will be copied.
3) Test the
rob@entropy$ ssh www.mydomain.net ogin: Mon Oct 29 10:58:32 2001 from entropy.oreilly.com rob@www$
* It should log you in without a password. If not, check your work. Also check that your Web server allows public key exchange (it's on by default, and is rarely disabled. Check with your friendly local sysadmin if you're not sure.)
5) Log out, and try an
rob@www$ exit Connection to www closed. rob@entropy$ scp /path/to/my/webcam.jpg www.mydomain.net:/path/to/graphic/ webcam.jpg 100% |*****************************| 601 00:00 rob@entropy$
* It should copy the file without asking for a password. The syntax is:
scp [source file] [hostname]:[destination directory]
* This example also assumes that you have the same username on your Mac OS X client as on your Web server.
If not, you can also specify a different username on the
scpcommand line. For example, if your login on the Web server is webadmin:
rob@entropy$ scp /path/to/my/webcam.jpg firstname.lastname@example.org:/path/to/graphic/
6) Set up
Before adding a new entry to
cron (sometimes called your
crontab), you may want to set your editor to the user-friendly editor
pico by using this command:
name% setenv EDITOR pico
Now that you've established
pico as your default editor, you can set up the
rob@entropy$ crontab -e
(This will start
pico with the contents of your current
crontab. Unless you've added some lines yourself, this will probably be an empty file.)
Add this line:
*/5 * * * * /usr/bin/scp /path/to/my/webcam.jpg www.mydomain.net:/path/
(This means, every five minutes of every day, do this...)
7) In five minutes, check your Web site with a browser. The updated picture should magically appear. Congratulations! Your webcam images are now being updated over a cryptographically secure channel, safe from wireless eavesdroppers.
When you are finished with your webcam, it's a good idea to tell
cron to stop trying to update your Web site. To disable the
cron entry, run another
crontab -e in your terminal window, and comment out the line with a
# */5 * * * * /usr/bin/scp /path/to/my/webcam.jpg
Now, whenever you want to start the auto-update process again, just delete the
#, and away you go.
If you have trouble getting it going, there are excellent
man pages available for
scp. You might also take a look at Rob's article on using SSH with wireless networks.
This probably feels like a lot of work just to set up a webcam session. But the risks of transmitting unsecured data over a public network far outweigh the effort to set up
scp. The good news is, once you've established your system, it's easy to turn on and off. As a bonus, with
ssh keys in place, you can securely copy files and log in to your Web server without needing to use passwords.
If you discover a clever workaround that saves time or improves performance, be sure to let us know via the TalkBacks.
Derrick Story is the author of The Photoshop CS4 Companion for Photographers, The Digital Photography Companion, and Digital Photography Hacks, and coauthor of iPhoto: The Missing Manual, with David Pogue. You can follow him on Twitter or visit www.thedigitalstory.com.
Return to the Wireless DevCenter.