0

members

Easy Raspberry basics: Project 29j Raspberry PI 3 model B board - Home assistant Security Configuration

of Acoptex.com in Raspberry Pi 3

Raspberry basics: Project 29j

Project name: Raspberry PI 3 model B board - Home assistant Security Configuration

Tags: Raspberry, Raspberry PI 3 model B board, vers 1.1, v 1.1, Home assistant, Wifi configuration, how to do security configuration for Home Assistant to make it safe for access, Samba Share, SSH server, Add-on, DuckDNS, secrets.yaml, HassOS 2.12, Home Assistant 0.97.2

Attachments: sambaaddonconfig, configuration.yamlsecrets.yaml, duckdnsconfiguration.yaml

In this project, you needed these parts (Dear visitors. You can support our project buy clicking on the links of parts and buying them or donate us to keep this website alive. Thank you):

1.Raspberry PI 3 model B 1 pc

2. Micro SD card and SD card adapter 1 pc

3. Micro USB power supply (2.1 A, max 2.5 A) 1 pc

4. USB keyboard 1 pc

5. USB mouse 1 pc

6. TV or PC monitor 1 pc

7. HDMI cable 1 pc

General

We will learn how to do security configuration for Home Assistant to make it safe for access.

Understanding the Home Assistant

You can read more about it here.

Understanding the Raspberry PI 3 model B

The Raspberry Pi 3 is the third-generation Raspberry Pi. It replaced the Raspberry Pi 2 Model B in February 2016.

Specification:

  • Quad Core 1.2GHz Broadcom BCM2837 64bit CPU
  • 1GB RAM
  • BCM43438 wireless LAN and Bluetooth Low Energy (BLE) on board
  • 40-pin extended GPIO
  • 4 USB 2 ports
  • 4 Pole stereo output and composite video port
  • Full size HDMI
  • CSI camera port for connecting a Raspberry Pi camera
  • DSI display port for connecting a Raspberry Pi touchscreen display
  • Micro SD port for loading your operating system and storing data
  • Upgraded switched Micro USB power source up to 2.5A

Signals and connections of the Raspberry PI 3 model B


Step by Step instruction

We recommend using a high-performance SD card for increased stability as well as plugging your device into an external display to see the default application booting up.

We assume that you have Windows 7 64 bit OS installed on your PC, micro SD card with Home Assistant installed and inserted to your Raspberry Pi 3 model B board.

1. Installing Hass.io, installing Add-Ons

You can read about it in Raspberry basics: Project 29a Raspberry PI 3 model B board - Home assistant for beginners

2. Configuring the Samba Share add-on.

  1. We assume that you have the Samba Share installed in your Home Assistant.
  2. Go to Hass.io. Select the Dashboard and click on Samba Share.
  3. Scroll down to Config section. You will need to copy and paste the setting from sambaaddonconfig file and modify username and password so the Shared folder is secure (remember to enclose them within quotes (" ")), allow hosts - IP addresses of the local network which you allow to access Samba Share. If you set up a specific WorkGroup name on your computer, you can change it here, otherwise, leave it with the default name (WORKGROUP). Now for the interface, if you have your Raspberry Pi connected with an Ethernet cable, set it to eth0. If you are connected via WiFi, then set it to wlan0
  4. Click on Save button.
  5. Open the File Explorer, then go to Network and the HASSIO shared folder should now be available. If it doesn't come up right away, refresh the page and give it a second. When you open the shared folder for the first time, you would need to sign in using the username and password (you have set them in Samba Share Config section) that you created. You can click on Remember my credentials, so you don't have to sign in everytime you want to access the configuration files.
  6. You can read more about Samba Share add-on here.

3.1 Protecting the Home Assistant web interface (with Legacy API password only with limited settings)

You will be logging in with Legacy API password only and have limited ammount of settings (Users group). If you would like to comeback to logging in with Home Assistant Local (Admins group) with username and password -  you will need to modify the configuration.yaml file (remove auth provider lines) through Samba Share and restart your Raspberry Pi.

  1. We assume that you have the Configurator installed in your Home Assistant. Otherwise you can find out how to install it Raspberry basics: Project 29b Raspberry PI 3 model B board - Control of LEDs with Home assistant.
  2. The configuration.yaml file is a plain-text file, thus it is readable by anyone who has access to the file. The file contains passwords and API tokens which need to be redacted if you want to share your configuration. By using !secret you can remove any private information from your configuration files. This separation can also help you to keep easier track of your passwords and API keys, as they are all stored at one place and no longer spread across the configuration.yaml file or even multiple yaml files.
  3. Go to Configurator. Select the config folder and open the configuration.yaml file.
  4. Activating this auth provider will allow you to authenticate with the API password set in the HTTP component. It will also allow you to provide the API password using an authentication header to make requests against the Home Assistant API. This feature will be dropped in the future in favor of long-lived access tokens. See example of configuration.yaml. You can copy the auth provider section from this file, use the Notepad++. Click on the Save icon at the top.
  5. Now, check if you have a secrets.yaml file in your Home Assistant config folder. If you do not have it -make it. The secrets.yaml file contains the corresponding password assigned to the identifier: http_password: YOUR_PASSWORD.
  6. See the example - secrets.yaml. Type your password and when finished, click on the Save icon at the top.
  7. Now you need to restart Home Assistant so the changes take effect. You can do it from Configurator.
  8. Click on the Menu icon on the top right and then click on Restart Hass.
  9. Go back to the Home Assistant page and after like a minute or two refresh the page and you would now need to enter the new password created in secrets.yaml file and click on Next button. It's valid for local LAN network and if you access your Home Assistant from internet. 

3.2 Protecting the Home Assistant web interface (with Home Assistant Local and with Legacy API password)

  1. We assume that you have the Configuratorinstalled in your Home Assistant. Otherwise you can find out how to install it Raspberry basics: Project 29b Raspberry PI 3 model B board - Control of LEDs with Home assistant.
  2. The configuration.yaml file is a plain-text file, thus it is readable by anyone who has access to the file. The file contains passwords and API tokens which need to be redacted if you want to share your configuration. By using !secret you can remove any private information from your configuration files. This separation can also help you to keep easier track of your passwords and API keys, as they are all stored at one place and no longer spread across the configuration.yaml file or even multiple yaml files.
  3. Go to Configurator. Select the config folder and open the configuration.yaml file.
  4. You need to have just  a line in http section - api_password: !secret http_password. Click on the Save icon at the top.
  5. Now, check if you have a secrets.yaml file in your Home Assistant config folder. If you do not have it -make it. The secrets.yaml file contains the corresponding password assigned to the identifier: http_password: YOUR_PASSWORD.
  6. See the example - secrets.yaml. Type your password and when finished, click on the Save icon at the top.
  7. Now you need to restart Home Assistant so the changes take effect. You can do it from Configurator.
  8. Click on the Menu icon on the top right and then click on Restart Hass.
  9. Go back to the Home Assistant page and after like a minute or two refresh the page. You can access your Home Assistant with thwo different methods now. It's very handy as one access is for administrator and another - for the user.

4. Changing the Home Assistant Local (Admins group) password

  1. Go to your profile (we had Acoptex).
  2. Scroll down to the Change password field.
  3. Type the current password.
  4. Type new password and repeat it one more time.
  5. Click on Submit button.
  6. Reboot your Home Assistant and log in with new password.

5. Install and set up the DuckDNS add-on

Duck DNS is a free Dynamic DNS service which will point a DNS (sub domains of duckdns.org) to an IP of your choice. 

dynamic DNS service
DDNS is a handy way for you to refer to a server/router with an easily rememberable name, where the servers ip address is likely to change
when your router reconnects, or ec2 server reboots, its ip address is set by the provider of that connection, this means it may update at any time

Dynamic DNS service (DDNS) is a handy way for you to refer to a server/router with an easily rememberable name, where the servers ip address is likely to change when your router reconnects, or server reboots, its ip address is set by the provider of that connection, this means it may update at any time.Duck DNS is the DDNS service with Let's Encrypt support.This add-on will automatically create and renew your certificates. 

  1. Open Home Assistant, go to Hass.io.
  2. Select Add-on Store and then click on Duck DNS.
  3. Click on Install button and give it a couple of minutes for the add-on to install.
  4. You will need to sign up for a Duck DNS account before using this add-on. Once the installation finish, go to duckdns.org and sign in using one of the available methods to create a new account. 
  5. Create a new subdomain name - just type it in sub domain field and click on green add domain button. You will get the message that success: domain your_domain.duckdns.org added to your account
  6. You will need the your_domain.duckdns.org  and DuckDNS token later to configure DuckDNS add-on in Home Assistant.
  7. Go back to Home Assistant. Go to Hass.io and select Dashboard tab.

  8. Click on DuckDNS and scroll down to Config section. 
  9. Change "accept_terms": true, "token" (your Duck DNS token) and "domains" (your your_domain.duckdns.org). Make sure that the token number and the domain name are enclosed within quotes. See example here.
  10. Click on Save button. 
  11. Before starting the add-on, you need to access your router settings. There are two things that you need to set up in your router: 1.you need to make sure that your Raspberry Pi is set up to always get the same IP address from the network; 2.you need to create a port forwarding rule for Home Assistant. All router settings are a little bit different so, I wouldn’t be able to tell you exactly where to go to set these things up but for you to have an idea, we are going to show you how we did set up of the port forwarding rule in our router. 
  12. Reboot the router. Once the router is back online, go back to Home Assistant and start the Duck DNS add-on by clicking on Start button.
  13. You need to add the DuckDNS URL that was created and the SSL information in the configuration.yaml file. 
  14. Go to Configurator. Select the config folder and open the configuration.yaml file.
  15. Under HTTP and below the api_password enter the following and only change the base_url to your DuckDNS URL - your_domain.duckdns.org

  16. Check for example configuration.yaml here. Click on Save icon.
  17. Now you need to restart Home Assistant so the changes take effect. You can do it from Configurator.
  18. Click on the Menu icon on the top right and then click on Restart Hass.
  19. Wait for some minutes. Open any internet browser (Google Chrome, Microsoft Edge, Internet Explorer..) and type https://your_domain.duckdns.org:443
  20. You are done. Congrats. Now, to access the Home Assistant web interface from inside and outside your home network, you would now need to use the DuckDNS URL.

6. Install and setup the SSH server add-on

If your remote Raspberry Pi with Home Assistant is visible over the Internet, you should use public key authentication instead of passwords, if at all possible. This is because SSH keys provide a more secure way of logging in compared to using a password alone. While a password can eventually be cracked with a brute-force attack, SSH keys are nearly impossible to decipher by brute force alone. With public key authentication, every computer has (i) a public and (ii) a private "key" (two mathematically-linked algorithms that are effectively impossible to crack).

Today, OpenSSH is the default SSH implementation on Unix-like systems such as Linux and OS X. Key-based authentication is the most secure of several modes of authentication usable with OpenSSH, such as plain passwords and Kerberos tickets. Other authentication methods are only used in very specific situations. SSH can use either "RSA" (Rivest-Shamir-Adleman) or "DSA" ("Digital Signature Algorithm") keys. Both of these were considered state-of-the-art algorithms when SSH was invented, but DSA has come to be seen as less secure in recent years. RSA is the only recommended choice for new keys, so this tutorial uses "RSA key" and "SSH key" interchangeably.

When you log in to your VPS, the SSH server uses the public key to "lock" messages in a way that can only be "unlocked" by your private key. This means that even the most resourceful attacker cannot snoop on, or interfere with, your session. As an extra security measure, some users and most SSH programs store the private key in a passphrase-protected format, to provide a window of time in which you can disable your compromised public key, should your computer be stolen or broken in to. For these reasons, public key authentication is a much better solution than passwords for most people. In fact, by not employing a passphrase on your private key, you will have the ability to automate parts of your configuration management with secure, automatic log-ins, such as incremental off-site backups, manage your assets via the Home Assistant API, and more.

  1. Check this project for the installation - Raspberry basics: Project 29a Raspberry PI 3 model B board - Home assistant for beginners
  2. Open Home Assistant, go to Hass.io.
  3. Select Dashboard and click on SSH server add-on.
  4. To use this add-on, you must have a private/public key to log in. To generate them, follow the instructions for Windows and these for other platforms. It is possible to set a password for login since version 2.0 but for high security use private/public keys. You can not run both variants at the same time. Enabling login via keys, will simply disable password login.
  5. Scroll down to Config section. authorized_keys - your public keys for the authorized key file. You can authorize multiple keys by adding multiple public keys to the list. password - another option when you set a password for login. We do NOT recommend this variant.

  6. We will explain how to get your ssh key now. Go here to download the PuTTYgen. The installation is very simple so we will not cover it in this project.
  7. After installation open the PuTTYgen.
  8. For Type of key to generate - select RSA and in the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods).
  9. Click on Generate button.
  10. Move your mouse pointer around in the blank area of the Key section, below the progress bar (to generate some randomness) until the progress bar is full. A private/ public key pair has now been generated.
  11. In the Key comment field, enter any comment you'd like, to help you identify this key pair, later (e.g. your e-mail address; home; office; etc.) -- the key comment is particularly useful in the event you end up creating more than one key pair.
  12. Optional: Type a passphrase in the Key passphrase field & re-type the same passphrase in the Confirm passphrase field (if you would like to use your keys for automated processes, however, you should not create a passphrase).
  13. Click on Save public key button and choose whatever filename you'd like (some users create a folder in their computer named my_keys).
  14. Click the Save private key button and choose whatever filename you'd like (you can save it in the same location as the public key, but it should be a location that only you can access and that you will NOT lose! If you lose your keys and have disabled username/password logins, you will no longer be able log in!).
  15. Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Copy.
  16. Paste your ssh key to authorized_keys. Click on Save.
  17. Click on Start button to start add-on.
  18. You need to create a PuTTY profile to save your server's settings. You can create (and save) profiles for connections to your various SSH servers, so you don't have to remember, and continually re-type, redundant information.
  19. Download and install PuTTY.
  20. Start PuTTY by double-clicking its executable file.
  21. PuTTY's initial window is the Session Category (navigate PuTTY's various categories, along the left-hand side of the window). In the Host Name(or IP address) field, enter the IP address of your Raspberry Pi.
  22. Enter the port number in the Port field (for added security, consider changing your server's SSH port to a non-standard port).
  23. Select SSH under Protocol.
  24. Select the Data sub-category, under Connection.
  25. Specify the username that you plan on using, when logging in to the SSH server, and whose profile you're saving, in the Auto-login username field. We used root.
  26. Expand the SSH sub-category, under Connection. Highlight the Auth sub-category and click on Browse button.
  27. Browse your file system and select your previously-created private key. 
  28. Return to the Session Category and enter a name for this profile in the Saved Sessions field, e.g. user@192.168.0.114.
  29. Click on Save button for the Load, Save or Delete a stored session area.
  30. Now you can go ahead and log in to user@192.168.0.114 and you will not be prompted for a password. However, if you had set a passphrase on your public key, you will be asked to enter the passphrase at that time (and every time you log in, in the future).
  31. Select user@192.168.0.114 and click on Open button. After logging in, you will find yourself in this add-on's container.
  32. The Home Assistant configuration directory is mounted on the path /config.

 

Summary

We have learnt how to do security configuration for Home Assistant to make it safe for access.

Libraries in use

 

  • none

 

Resources

  • See on the begining of this project


Other projects of Acoptex.com

« Go back to category
Is this project fake? Report it!   
Recommend to a friend
Published at 12-08-2019
Viewed: 358 times