Elliot_M
Posts: 39
Joined: Wed Dec 17, 2014 12:59 am

Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 6:17 pm

Hey guys,

I'm currently working on a small project that helps you connect to your Raspberry Pi’s shell remotely through your web browser.

It’s still at an early stage, but I’d really appreciate any thoughts and comments. You can check it out here: http://dataplicity.com

The main thing I would like to know is that if anyone here thinks that this might be valuable/useful to them?

Thanks in advance :)
Elliot
Last edited by Elliot_M on Sun Mar 27, 2016 9:36 pm, edited 1 time in total.

User avatar
DougieLawson
Posts: 37069
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 6:19 pm

What does it give me that I can't already do with Weaved IoT?
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 6:40 pm

I can already do that with ssh.

Why would I trust your web site with access to my Pi?
Memory in C++ is a leaky abstraction .

Elliot_M
Posts: 39
Joined: Wed Dec 17, 2014 12:59 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 7:12 pm

Hey Heater,

Good points and thanks for your comments!

SSH is great and has been around for ages, but it's a pain if you don't know your Pi's IP address, or if you've got your Pi running on someone else's network (like a 3G connection). Usually you need some combination of VPN, portforwarding and/or dyndns service to reach the device, but with dataplicity all you need to have is your Pi connected to the internet (uses a client-initiated secure websockets connection). Do you think that's easier than the SSH approach?

Would seeing the source code help on the trust side? I've already put the dataplicity client code up on GitHub (https://github.com/wildfoundry/dataplicity). It needs tidying up and some improved documentation, but the code is available there for all to view :)

Thanks

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 7:45 pm

There is nothing that will help with trust unless I can put ssh keys on my Pi, or whatever device, such that I know whoever is relaying the communication cannot be a man in the middle.

It's a big problem.

As it happens I am just now playing with the services of resin.io to deploy code to remote devices and get access to them over 3G. There is the issue of trust there as well. But I think resin has a somewhat different use case in mind than you do. My first test of resin is here: https://bccbb0d6f38d1c3dec17eaeddc73710 ... device.io/

Otherwise I have access to Pi's via a terminal interface in the browser that comes via a Google cloud instance and a web socket connection from the remote Pi. Again I have to trust Google as the man in the middle.

You are right VPNs are a pain to set up.

Possibly you have a great idea there. I'll give it a try.
Memory in C++ is a leaky abstraction .

Elliot_M
Posts: 39
Joined: Wed Dec 17, 2014 12:59 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 8:02 pm

DougieLawson wrote:What does it give me that I can't already do with Weaved IoT?
Hi there!
dataplicity is really focused on providing you with remote access to your Pi. You don't even need to provide your own terminal client as the terminal is web-based. The installation is a one-liner, doesn't open any ports, and indeed you don't even need to install SSH.

As an existing user of weaved, I'd be interested to know what features of weaved you actually use? I have a bunch of things lined up but it would be great to get some feedback as to which features are actually most useful to people.

Best,
Elliot.

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 8:07 pm

Elliot_M,

Actually, perhaps you could outline how this works. From what you have said I gather something has to be installed on the Pi to initiate that websocket connection back to your server(s). Then a user visits your site via a web browser and gets a terminal connection to their Pi.
Memory in C++ is a leaky abstraction .

Elliot_M
Posts: 39
Joined: Wed Dec 17, 2014 12:59 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 8:08 pm

Heater wrote:There is nothing that will help with trust unless I can put ssh keys on my Pi, or whatever device, such that I know whoever is relaying the communication cannot be a man in the middle.

It's a big problem.

As it happens I am just now playing with the services of resin.io to deploy code to remote devices and get access to them over 3G. There is the issue of trust there as well. But I think resin has a somewhat different use case in mind than you do. My first test of resin is here: https://bccbb0d6f38d1c3dec17eaeddc73710 ... device.io/

Otherwise I have access to Pi's via a terminal interface in the browser that comes via a Google cloud instance and a web socket connection from the remote Pi. Again I have to trust Google as the man in the middle.

You are right VPNs are a pain to set up.

Possibly you have a great idea there. I'll give it a try.
Hi again!

Thanks for this feedback, it's just awesome and I will have a chat with the other guys to see what we could potentially do here. If you have any particular ideas you think would help, please drop me a note so we can have a proper review?

Best,
Elliot.

Elliot_M
Posts: 39
Joined: Wed Dec 17, 2014 12:59 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 8:11 pm

Heater wrote:Elliot_M,

Actually, perhaps you could outline how this works. From what you have said I gather something has to be installed on the Pi to initiate that websocket connection back to your server(s). Then a user visits your site via a web browser and gets a terminal connection to their Pi.
Pretty much a hole-in-one. So you install the client (see the Github link above for the code), then the client starts up and opens a websocket connection to the dataplicity servers (client initiated, hence why VPN and dyndns etc are not needed). The servers present a website which include a web based terminal. End to end is HTTPS, and there are no ports opened on the Pi itself.

Best,
Elliot.

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 8:25 pm

Elliot_M,

OK, sounds cool.

I worry about the name "dataplicity". To my old brain it sounds too much like "duplicity". Which of course has negative connotations. Still, the young kids today won't get that.

I will be signing up and checking this out.
Memory in C++ is a leaky abstraction .

User avatar
DougieLawson
Posts: 37069
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Jul 31, 2015 10:27 pm

Elliot_M wrote: As an existing user of weaved, I'd be interested to know what features of weaved you actually use? I have a bunch of things lined up but it would be great to get some feedback as to which features are actually most useful to people.
I don't use Weaved. I've got a few ports forwarded on my router and that lets me use ssh or OpenVPN from anywhere in the public internet using one of my machines preloaded with an ssh key and/or my OpenVPN ca.crt and client.crt / client.key. One of my systems has a tunnelled public IPv6 address(because I trust http://he.com). If I connect to my OpenVPN I get a remote IPv6 address routed through my server.

I can see the benefits of providing a reverse proxy (especially if you run that over port 80 or port 443) for folks who can't do port forwarding. But there is a problem of trusting the service provider for anything like that. Since the machine on my network is effectively opened up to your servers (which I don't control).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Sat Aug 01, 2015 9:33 am

Hmmm...

So given that we can get a byte stream from local PC to remote Pi using HTTP and web sockets via servers from Dataplicity or Resin or whatever, then all we need is a way of establishing secure communications from end to end using public key encryption, HTTPS style. In that way the provider of the server in the middle would not need to be trusted any more than we trust the many hops that our HTTPS or VPN traffic runs over.

The PC end of this link would need to not be a web browser running JS provided by the server operator but that is easily done especially with tools like node.js.

Is there such a SSL/TLS style system that will work over any old byte stream, not dependant on TCP/IP ?
Memory in C++ is a leaky abstraction .

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Sat Aug 01, 2015 9:42 am

More hmmm...

I guess for a simple terminal interface between Pi and PC via Dataplicity/Resin/etc and give that one has control of both ends of the link one could just use private key encryption over the provided byte stream to get an end to end secure connection l to the Pi.

Again the PC end would not want to be JS running in my browser. Unless it's a page coming from a site I trust, like my own server locally, that connects to Dataplicity/Resin etc.
Memory in C++ is a leaky abstraction .

Elliot_M
Posts: 39
Joined: Wed Dec 17, 2014 12:59 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Sat Aug 01, 2015 6:17 pm

Heater wrote:Hmmm...

So given that we can get a byte stream from local PC to remote Pi using HTTP and web sockets via servers from Dataplicity or Resin or whatever, then all we need is a way of establishing secure communications from end to end using public key encryption, HTTPS style. In that way the provider of the server in the middle would not need to be trusted any more than we trust the many hops that our HTTPS or VPN traffic runs over.

The PC end of this link would need to not be a web browser running JS provided by the server operator but that is easily done especially with tools like node.js.

Is there such a SSL/TLS style system that will work over any old byte stream, not dependant on TCP/IP ?
Thanks so much for your suggestions :)

At the moment the system does operate through a web-based shell with our web servers in the middle - it's encrypted end to end but you are right in that our servers are in the middle. We're going to put our heads together this week to discuss further protections we could put in place for people who really need that bit of extra reassurance, and some kind of keying system along the lines you have outlined will be first on the list :)

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Sat Aug 01, 2015 7:18 pm

Elliot_M,

end-to-end? From a user perspective it's only encrypted from end to middle, the Dataplicity servers. After that we have no idea what is going on.

As far as I can tell the problem is this cannot be done with a web browser interface. At least not if it's a page served up from Dataplicity. We can't trust it. Encryption with JavaScript in the browser is problematic anyway.

Similarly, what about the client code running in the Pi. How can we trust it if it comes from Dataplicity?

I'm not suggesting that you have any intention of snooping on your users or taking over their systems for doggy purposes. Just exploring the security issues here.
Memory in C++ is a leaky abstraction .

Elliot_M
Posts: 39
Joined: Wed Dec 17, 2014 12:59 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Sat Aug 01, 2015 9:55 pm

Heater wrote:end-to-end? From a user perspective it's only encrypted from end to middle, the Dataplicity servers. After that we have no idea what is going on.
The encryption is HTTPS websockets from browser to dataplicity server, then again from server to device. dataplicity forwards the traffic in the middle, but doesn't store it after forwarding. We do store system stats like disk space, memory usage etc so we can also display those data points in your account.
Heater wrote:As far as I can tell the problem is this cannot be done with a web browser interface. At least not if it's a page served up from Dataplicity. We can't trust it. Encryption with JavaScript in the browser is problematic anyway.
I think this one probably warrants a bit of a deeper comment.

This is really one of those difficult areas where I have to weigh up the convenience of having a simple, portable, web-based terminal vs the need for client software tied to specific platforms. As it stands it is really not that much different than a hosted-VPN or terminal access to hosted devices via AWS and Google, and I am hoping that we've struck the right balance for most users.

Of course I do recognise that this trade-off may not be acceptable to all, and that in cases where security concerns outweigh convenience there may be a need for a system which ensures only fully encrypted traffic operates through dataplicity servers. As you correctly pointed out, this would likely preclude a web-based terminal (and the associated convenience) and may require some form of PC/phone-based app to handle key exchange. I am going to have a look at some options there.
Heater wrote:Similarly, what about the client code running in the Pi. How can we trust it if it comes from Dataplicity?
The code is here for all to see: github.com/wildfoundry/dataplicity. It's a modified BSD licence, so you can modify it yourself if you wish :) The documentation thus far is a bit patchy, but it's improving as time permits :)
Heater wrote:I'm not suggesting that you have any intention of snooping on your users or taking over their systems for doggy purposes. Just exploring the security issues here.
I'm really appreciative of the fact that you are voicing your concerns :) I will be working through these comments and see where we can improve.

Best,
Elliot.

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Sun Aug 02, 2015 2:58 am

Elliot_M,

I don't mean to be coming over wholly critical or negative regarding your service here. In fact I'm very glad to see your offerings. The more options we have in the "IoT" space the better. Especially if they were to be compatible, standardized and interchangeable. There are many big players making a grab for our "things" with the rush to IoT and I fear the day when all our "things" are dependent on a single monolith like MS or whoever. It would be great to see the millions of Raspi users leading the way in showing how such lock-in is not a forgone conclusion.

I do appreciate that the level of security you have put in place is comparable to that of Google or AWS, modulo any mishaps in implementation, and may well be sufficient for the majority of users.

The balance between security and convenience is an ongoing debate with different outcomes depending on the user requirements and their level of trust (or paranoia :) )

Putting the client code up on github is a good move. Making sure the browser side code is not minimized or obfuscated would be great too.
Memory in C++ is a leaky abstraction .

Elliot_M
Posts: 39
Joined: Wed Dec 17, 2014 12:59 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Aug 28, 2015 5:43 pm

Hi again,

Just a quick note to say again thanks for the feedback!

I'm just following up on this one to let you know we took action on some of these suggestions. In particular, for recent installs the dataplicity client now runs as an unprivileged user on your Pi. This means the shell will only open as an unprivileged shell: if you want superuser you have to type 'su' and enter your password for superuser.

Best,
Elliot.

User avatar
KLL
Posts: 1453
Joined: Wed Jan 09, 2013 3:05 pm
Location: thailand
Contact: Website

Re: Feedback pls: Remotely connect to your Raspberry Pi

Sat Sep 26, 2015 5:37 pm

Elliot_M wrote:dataplicity client now runs as an unprivileged user on your Pi. This means the shell will only open as an unprivileged shell: if you want superuser you have to type 'su' and enter your password for superuser.
what password?
http://kll.engineering-news.org/kllfusi ... cle_id=100

Elliot_M
Posts: 39
Joined: Wed Dec 17, 2014 12:59 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Sat Sep 26, 2015 5:51 pm

Hey thanks for the write up and for the tip about the dataplicity user account!

We were debating internally about whether or not we should create the dataplicity user account with a home directory or as a pure service account, and in the first instance we adopted the service account approach. From reading your article, I'm assuming that your preference would be if we created the home directory automatically? If so let me know and I'll put that back on our engineering list for review.

In the meantime, you are asking how to get superuser via the terminal. For your security, and as you quite rightly pointed out, we run as an underprivileged user. We are not even part of 'wheel' which means we cannot directly su to superuser, and indeed the dataplicity account does not allow direct password login. That doesn't mean you can't get root if you need..... what you first need to do is su to another user account on your device, for example 'pi' and use the password for that account ('raspberry' if you haven't changed the default, which we recommend you do).

So type 'su pi' and after pressing enter, type the password for the 'pi' account. From there you can use su/sudo as you'd normally expect.

Hope that helps!

User avatar
KLL
Posts: 1453
Joined: Wed Jan 09, 2013 3:05 pm
Location: thailand
Contact: Website

Re: Feedback pls: Remotely connect to your Raspberry Pi

Sun Sep 27, 2015 3:55 am

Elliot_M wrote:your preference would be if we created the home directory automatically?
yes, as for some not basic terminal tools ( like mc, wcd.. ) and for usual user settings '.bash_aliases'
it is needed.
( what you get from not creating it? )
and why is it not a full user? does it have a password?
what you could do is just use the password i use to login to your site ( at account creation )
as password for the linux user ( on RPI )
if no password is used your system could be copied and a hacker tool could just try your way of login??
can i modify it from my side and just give it a password and it will ask me in the terminal ( like putty )
for login?
Elliot_M wrote:So type 'su pi' and after pressing enter, type the password for the 'pi' account.
thanks @Elliot_M
worked well, i just miss read your above post
Elliot_M wrote:for recent installs the dataplicity client now runs as an unprivileged user on your Pi. This means the shell will only open as an unprivileged shell: if you want superuser you have to type 'su' and enter your password for superuser.
___________________________________________________________________
i just checked on your webpage again and i want to stress what i write in my article
from your info here and from the webpage info, there is difficult to guess what it is doing?
ok, you say:
Easy access via browser
Log in to Dataplicity, select the device you want and access your remote shell. It's that simple!
so now i understand that you provide a terminal to my RPI in a browser.

seriously i must ask you: where is the button to connect to my desktop?

ianboag
Posts: 37
Joined: Thu Jul 17, 2014 5:08 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Mar 04, 2016 2:34 am

For those of us who run a Pi on a 3G connection, what sort of data volume is involved for the "keep-alive" function?

Ian B

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Mar 04, 2016 5:56 am

So I installed dataplicity.

Very easy, works as advertised.

One minor little issue: The page for my device fails to display disk usage. Like so:

Disk space: GB of NoneGB Used
Memory in C++ is a leaky abstraction .

Heater
Posts: 14414
Joined: Tue Jul 17, 2012 3:02 pm

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Mar 04, 2016 7:05 am

As far as the "keep-alive" data usage goes. In one hour, with the terminal open in the browser and no other activity going on I saw 700KB come in on my Pi's WIFI interface and 11MB going out.

That's like 3KBytes per second!

What on Earth is it doing?
Memory in C++ is a leaky abstraction .

ghodan
Posts: 118
Joined: Fri Sep 18, 2015 6:05 am

Re: Feedback pls: Remotely connect to your Raspberry Pi

Fri Mar 04, 2016 9:00 am

Heater wrote:As far as the "keep-alive" data usage goes. In one hour, with the terminal open in the browser and no other activity going on I saw 700KB come in on my Pi's WIFI interface and 11MB going out.

That's like 3KBytes per second!

What on Earth is it doing?
The binary blob in the Pi that they do not want to remove yet is making your Pi communicate with the NSA. :lol:

Return to “General discussion”