Author

Topic: Swedish ASIC miner company kncminer.com - page 1178. (Read 3049528 times)

legendary
Activity: 938
Merit: 1000
LIR DEV
October 30, 2013, 03:15:55 PM
Those are good points I guess there is no way to give access to just the web interface and block ssh access.
If not I guess the renter would have to prepay enough to justify the risk.

As I said, the root password is not the same as the admin password, you can change the root password to be different to the admin (web login) password.

So change the root password and they can't ssh into the box, they can just use the web admin.

To change the root password from ssh just type passwd

Try it, change the root password, then logout of ssh and login again with the new root password.

You will notice that the web account still uses the old password.

If you want to change the web account password its: passwd admin
when you change the password in the GUI, it changes BOTH the GUI AND the Root passwords. if they don't match, I imagine you loose gui control alltogether, don't you?
legendary
Activity: 938
Merit: 1000
LIR DEV
October 30, 2013, 03:12:40 PM
Here are some steps to streamline access to your miner through putty..
1. Open the putty session window, and input your I.P. normally in the hostname field, but DO NOT HIT ENTR.
    a. Instead, take your mouse pointer, highlight the saved sessions field(with a single left-click), and input your miner's I.P. again.
2. on the window/behavior tab to the left, un-check the "warn before exit" box.
3. on the connection/data tab, enter "root" to the auto-login username field.
4. on the SSH tab, enter "screen -r" into the "remote command" field.
5. back on the Session tab, at bottom of page, check the "close window on exit"....... "always"
6. now hit the SAVE button, and close putty
7. Go to your desktop & right-click for a context menu, and go to new/ shortcut.
8. input the location of putty for starting it. Use full file location to execute putty & input your miner's I.P. address as such...    
 C:\Users\Ewik\Desktop\putty.exe -load "123.123.123.4" -pw password
click next, input a name for your new shortcut, click finish.

Now, when you click on the shortcut, it will start putty with your miner's ip, and enter "root" for you, and enters your password, enters the "screen -r" for you, and jumps into cgminer window.
it all happens very fast then
click on shortcut... you're in!
BAM
legendary
Activity: 3234
Merit: 1221
October 30, 2013, 03:10:51 PM
Those are good points I guess there is no way to give access to just the web interface and block ssh access.
If not I guess the renter would have to prepay enough to justify the risk.

As I said, the root password is not the same as the admin password, you can change the root password to be different to the admin (web login) password.

So change the root password and they can't ssh into the box, they can just use the web admin.

To change the root password from ssh just type passwd

Try it, change the root password, then logout of ssh and login again with the new root password.

You will notice that the web account still uses the old password.

If you want to change the web account password its: passwd admin
newbie
Activity: 56
Merit: 0
October 30, 2013, 02:39:49 PM

If someone was REALLY malicious, they could possibly use those low-level i2c commands to actually do physical damage to the miner - like setting the PLLs to ridiculously high values, or whatever...  Maybe write a script that just blasts random values over I2C, and see if you can make something smoke Shocked

I can't imagine why anyone would want to do something like that - but it's still something to consider if you are giving root access to random people...


yeah this could be done I suppose and it's nasty.

the best thing should do like -redacted- change web interface in such a way they could not gan control of the miner or just create a normal user and grant him  the right to do the minimum amount of things to let him mining (using sudo maybe)

I would set it up as a gimped version of the knc hosting model.  No ssh access, and strip out all the web interface pages except the login, status, and mining pages.  The only thing a 3rd party renter needs to be able to do is log on to the device, change pool settings, and restart the cgminer process.  Everything else they can submit a "support ticket" for....and some sort of SLA for response time can be written into the rental agreement.
sr. member
Activity: 378
Merit: 250
October 30, 2013, 02:23:13 PM
suck if the "renter" installed malicious firmware...  lol
legendary
Activity: 1260
Merit: 1008
October 30, 2013, 02:17:32 PM

If someone was REALLY malicious, they could possibly use those low-level i2c commands to actually do physical damage to the miner - like setting the PLLs to ridiculously high values, or whatever...  Maybe write a script that just blasts random values over I2C, and see if you can make something smoke Shocked

I can't imagine why anyone would want to do something like that - but it's still something to consider if you are giving root access to random people...


yeah this could be done I suppose and it's nasty.

the best thing should do like -redacted- change web interface in such a way they could not gan control of the miner or just create a normal user and grant him  the right to do the minimum amount of things to let him mining (using sudo maybe)
legendary
Activity: 966
Merit: 1000
- - -Caveat Aleo- - -
October 30, 2013, 02:07:05 PM
cd /www/pages/cgi-bin
mv passwd.cgi  /

done...  It will produce a 404 error if they try to go to that selection.

To put it back
cd /www/pages/cgi-bin
mv /passwd.cgi  .


Might want to do the same with upgrade.cgi, too...



Nice.  Smiley
hero member
Activity: 574
Merit: 501
October 30, 2013, 01:58:32 PM
cd /www/pages/cgi-bin
mv passwd.cgi  /

done...  It will produce a 404 error if they try to go to that selection.

To put it back
cd /www/pages/cgi-bin
mv /passwd.cgi  .


Might want to do the same with upgrade.cgi, too...

legendary
Activity: 938
Merit: 1000
LIR DEV
October 30, 2013, 01:53:12 PM
Set up a non-root user and allow him to log onto the box with that.  Restrict what can be executed via sudo.  

Why does the user need SSH access to the box anyway?  Give him web access, and move the web page that allows changing passwords to somewhere else so it can't be accessed from the web interface until you put it back.
I'm sure there's a way to remove the reset password fieldsin the gui... but can't tell you how, because I'm not a linux efficienado
maybe you can block the security page entirely...?
legendary
Activity: 1066
Merit: 1098
October 30, 2013, 01:52:05 PM
I have a hypothetical question. If a 3rd party wants to rent a few days of hashtime on my Jupiter and I give him access including my password, if he changes the password without telling me is there any way to regain access without the new password or is the Juptier permanently hi-jacked?



hard reset should reset the passwords I believe.

hard reset just copy a bunch of pristine files placed in /config in various places, among them /config/shadow.factory
will be copied over /etc/shadow. that means that after an hard reset the pwd for root will be re-set to admin.

what if during the period of time u rent your miner that guy just change /config/shadow.factory? Tongue

anyway as long as u have physical access to the miner u could reflash your miner  using RecoveryFile (https://www.kncminer.com/userfiles/file/SD_image_0.96.1.zip) and everything will be under your control again.


If someone was REALLY malicious, they could possibly use those low-level i2c commands to actually do physical damage to the miner - like setting the PLLs to ridiculously high values, or whatever...  Maybe write a script that just blasts random values over I2C, and see if you can make something smoke Shocked

I can't imagine why anyone would want to do something like that - but it's still something to consider if you are giving root access to random people...
hero member
Activity: 574
Merit: 501
October 30, 2013, 01:45:59 PM
Set up a non-root user and allow him to log onto the box with that.  Restrict what can be executed via sudo.  

Why does the user need SSH access to the box anyway?  Give him web access, and move the web page that allows changing passwords out of the cgi-bin directory so it can't be accessed from the web interface until you put it back.
legendary
Activity: 1260
Merit: 1008
October 30, 2013, 01:41:50 PM
I have a hypothetical question. If a 3rd party wants to rent a few days of hashtime on my Jupiter and I give him access including my password, if he changes the password without telling me is there any way to regain access without the new password or is the Juptier permanently hi-jacked?



hard reset should reset the passwords I believe.

hard reset just copy a bunch of pristine files placed in /config in various places, among them /config/shadow.factory
will be copied over /etc/shadow. that means that after an hard reset the pwd for root will be re-set to admin.

what if during the period of time u rent your miner that guy just change /config/shadow.factory? Tongue

anyway as long as u have physical access to the miner u could reflash your miner  using RecoveryFile (https://www.kncminer.com/userfiles/file/SD_image_0.96.1.zip) and everything will be under your control again.
legendary
Activity: 938
Merit: 1000
LIR DEV
October 30, 2013, 01:31:35 PM
The reset button resets both the ssh and gui passwords to origonal
Found out the "Hard way"...hehe
legendary
Activity: 966
Merit: 1000
- - -Caveat Aleo- - -
October 30, 2013, 01:25:50 PM
I have a hypothetical question. If a 3rd party wants to rent a few days of hashtime on my Jupiter and I give him remote access including my password, if he changes the password without telling me is there any way to regain access without the new password or is the Jupiter permanently hi-jacked?



Why in the world would you give him access to the device.  Just point your miner at his address at eligius and be done.

+1

Someone with root access could theoretically do a 'rm -rf /' or equivalent - intentionally or even non-intentionally.  Then you would probably need KnC support just to unbrick the unit.  I would not give anyone I don't trust 100% direct login access to my miner(s).


Those are good points I guess there is no way to give access to just the web interface and block ssh access.
If not I guess the renter would have to prepay enough to justify the risk.
legendary
Activity: 1066
Merit: 1098
October 30, 2013, 01:13:42 PM
I have a hypothetical question. If a 3rd party wants to rent a few days of hashtime on my Jupiter and I give him remote access including my password, if he changes the password without telling me is there any way to regain access without the new password or is the Jupiter permanently hi-jacked?



Why in the world would you give him access to the device.  Just point your miner at his address at eligius and be done.

+1

Someone with root access could theoretically do a 'rm -rf /' or equivalent - intentionally or even non-intentionally.  Then you would probably need KnC support just to unbrick the unit.  I would not give anyone I don't trust 100% direct login access to my miner(s).
legendary
Activity: 966
Merit: 1000
- - -Caveat Aleo- - -
October 30, 2013, 01:11:19 PM
Thanks. My Jupiters are at Anotherhost so my VPN password would have to be reset along with the "front button" hard reset, but it is all doable. As to why a 3rd party might need access I can only speculate they may be switching between pools or between alt coins.
member
Activity: 114
Merit: 10
October 30, 2013, 01:06:17 PM
I have a hypothetical question. If a 3rd party wants to rent a few days of hashtime on my Jupiter and I give him remote access including my password, if he changes the password without telling me is there any way to regain access without the new password or is the Jupiter permanently hi-jacked?



Why in the world would you give him access to the device.  Just point your miner at his address at eligius and be done.
legendary
Activity: 938
Merit: 1000
LIR DEV
October 30, 2013, 01:05:27 PM
I have a hypothetical question. If a 3rd party wants to rent a few days of hashtime on my Jupiter and I give him remote access including my password, if he changes the password without telling me is there any way to regain access without the new password or is the Jupiter permanently hi-jacked?



Change the root password then you can always get in and change the admin password
reset button indeed resets passwords
legendary
Activity: 3234
Merit: 1221
October 30, 2013, 01:03:39 PM
I have a hypothetical question. If a 3rd party wants to rent a few days of hashtime on my Jupiter and I give him remote access including my password, if he changes the password without telling me is there any way to regain access without the new password or is the Jupiter permanently hi-jacked?



Change the root password then you can always get in and change the admin password
legendary
Activity: 938
Merit: 1000
LIR DEV
October 30, 2013, 12:49:15 PM
btw... of all the experimenting on the sats...70-79 seems to be the optimum temp
It takes about 1 and 1/2 hours to 2 hours to see the results on the graph, but looks to be a signifigant difference when you include several machines... about 40 gh/s for me... just by monitoring temps to 70-79 instead of letting them drop to 55-60 overnight. I use cardboard to block a bit of the airflow, and monitor the temps on the GUI, then watch for the results on the graph, and how high they peak over a couple hours. Well worth it for me.
When they said "Over-cooled", they weren't kidding!
Jump to: