General tips about protection against locking yourself out

[CecilWard]

Having just locked myself out by fiddling around with config (I strongly suspect) and stuffing up SSH, I just want to ask if there are any completely general tips for protecting yourself from getting locked out by config changes, user account / password changes or bad updates?

Ideas (very vague, ignorant, ill-defined):

* backdoors (well-secured ones), auxiliary protocols for remote admin;

* second user account

*'Revert config' batch jobs that run in a timer, back up the config and auto-revert it on a timeout. (My router has exactly this, auto protection against not being able to log in to it following a bad config change). But of course, such things had to be written, and correctly, no bugs, and you have to remember to set the timer. Could perhaps try and automate such with something general and re-usable.

*backups - don't know how to do a general complete backup, and in any case could not do a restore if I am locked out.

[Imperf3kt]

I'd go the backup route
Take SD card out, insert in another computer
Copy config file to said computer
Put SD card back in Pi and mess with it to your content.

[rpdom]

Backups. Get a second SD card and a USB card reader. Run the SD Card Copier program. Now you have a ready to use backup of your system. Then go and make changes. If they break your system, switch to the backup card and run the backup again to set the other card to a good state - or use it to edit the files on the original card to fix the problem

[ab1jx]

Write your user and root passwords on paper someplace safe. Know that there's a single-user mode so that even if somebody changes your password you can still boot that way and get in. (It has no password at all)

[Burngate]

From CecilWard's other threads*, it appears he may not be easily able to access his Pi, so a second SD card and card reader may not be his optimum solution.
Also, a piece of paper with things written on would be a waste of effort since he uses an ipad on which he can write things and keep safe.

I don't have an answer, sorry about that.

* He lives in Skye and complains of "physical and cognitive limitations". The first two may be true but the last is just bone-in-the-leg.

[CecilWard]

Bone-in-the-leg?

I do live in Skye, Scotland. I suffer from severe ME which means that I am partially bed-bound, although I can make it to the bathroom on my own. Cognitive limitations means that I get confused because of fatigue and pain, the symptoms of ME and also all the many very heavy pain drugs that I am on. So concentration is often impossible, memory is shot and I am not that great at googling things for some reason. I am a very experienced professional asm and C programmer worked in r+d for an operating systems company for many years.

I recruited several people to physically help me get the pi set up headless. Took over a year tho.

I can't sit upright for long because of pain and dizziness/nausea, I am not practically able to sit upright at a desk and have given up on using my various desktop PCs altogether so I use an iPad all the time which I can use lying down. I was using my pi over a LAN via ssh.

[gkaiseril]

If one edits any of the configuration files and cannot edit the file to undo the change, then the backup or rebuild from the start is the only option. Having a backup SD card sounds like a better answer. You probably need an assistant that has some knowledge of computers to help with the backup and restore.

[Burngate]

I'm sorry, Cecil, didn't mean to come across as uncaring - it was just that, here, you appear to have better cognitive abilities than many posters. Maybe it's because you can use English more fluently than some.
As for Skye, it's one of the places I've always wanted to go. Despite Sir Harold Boulton's Victorian song. Apart from anything else, its geology is fascinating. https://en.wikipedia.org/wiki/Geology_of_Skye
Precambrian gneisses, Paleogene basalt and gabbro, ...

I still don't have an answer, but your idea of "'Revert config' batch jobs that run in a timer, back up the config and auto-revert it on a timeout" seems interesting.
Perhaps it would be possible to permanently install a usb stick, with base-line system on it, such that if the Pi can't boot from the SD card it'll boot from usb.
Not being the master-coder that would be required for the job, I wish someone else would have taken up the idea and run with it.

[karrika]

I can see several ways to make fault tolerant systems.

1) Replicating. The Pi's are fairly cheap. If you have two fully working systems and one breaks you can still use the other while the 1st one is fixed. This approach is used widely on ships. They have dual chart displays, dual radars end so on.

2) Kiosk mode. You could restrict your operations to run in a sandbox that won't affect the health of the Pi.

3) Serial console as back door. I believe that Adafruit had some USB-serial console cable that you could use to connect to your Pi when the network is down.

[CecilWard]

Regarding cognitive abilities. I'm posting here now because I can. Now. At the moment. When I'm bad, you won't hear from me, because I can't function, what with pain / extreme fatigue / drunkenness, too many opiates for the pain. And mental effort with severe ME sufferers causes a backlash of extreme fatigue much later (like jet lag, 4am suddenly woken up with hangover) , and in my case also pain and 'malaise' (like very bad flu). So writing code has to be paid for the day after the next day, typically about 12-36 hours time lag.

But I find a lot of physical tasks very confusing, like a drunk man trying to get keys into a lock. I can't wish myself sometimes because I can't remember what to do. I can't make a cup of tea, just too confused.

Being upright causes horrible fainting feeling and nausea after a few mins.

I also have unexplained neuropathic pain - intense burning especially in legs or feet. This may be something separate.

I don't use a PC anymore because I'm 98% confined to bed. iPad is great because I can do everything lying down. I did have lots of Win NT family boxes including a laptop, but gave up on all of them, especially laptop because of really bad pain in hands. I could in theory use a laptop in bed, but hand pain would be very bad news. But in any case, Windows boxes just aren't really relevant to me nowadays. Might repurpose one of the old boxes as a BSD or Linux server though some day, but I have a huge amount of sysadmin learning to do first, which is where the pi comes in, one of the reasons anyway.

[KLL]

it may me OFF but did you ever try realVNC,
-a- (now) you see / use the same display as you would on a HDMI TV
( what creates funny situations, can look at TV but operate mouse from tablet... )
-b- can have multiple terminal windows open and zoom in
-c- can close and open same window again later
-d- zoom is 2 finger operation / mouse, typing ... 1 finger

here see RPI3 on my 7" tablet

with terminal and mc window open

and zoom into terminal and use android keyboard

[CecilWard]

@karrika

Good tips

The two systems thing is a good idea. But any thoughts about easiest ways to bring system a up to date with system b when a change later comes to be regarded as 'safe' after a while?

I really need some way of doing easy backups and version rollback as well. I'd like to find out out about backup + restore alternatives that don't need a lot in the way of physical capabilities, given my personal situation. If this were an immensely huge and powerful system I would be looking at VM emulators and simoly copying an entire virtual-hd image file, which I have done in the past on windows nt boxes using microsoft's free vm system. But even if such a thing were available it wouldn't make sense on a pi, too greedy and would ruin performance horribly so much that it would be simply a show-stopper.

I wonder if I could find some piece of kit that could make backup copies of an entire sd card easily. A second pi used as a copier maybe? (Can't use a pc for this, as explained in the 'disability' post.) Could get friends to do this for me, but being a pest all the time is quite humiliating.

I wonder if anyone has already written something to make a set of backups of all critical config files to some suitable location? But *where to*, a very important question, unclear to me. And would have to be easily extensible so that more files can be added to the critical list. Finding them all and making sure nothing is missing would be difficult and getting it wrong would screw everything up. Dress rehearsals would be an onerous nightmare, without a vm to play in maybe. Perhaps one approach to locating all such files needed would be looking at 'last read access time' timestamps in filesystem metadata after a boot+login sequence, but I would be amazed if such a feature were available, seeing as, in NT anyway, such technology is normally turned off even if available because it absolutely knackers performance to utter buggery beyond belief. And then some. In any case, even if you could build such a thing, and you choose an appropriate location to park the copies in, how to do a restore, when the whole point is that the system is probably knackered. This is the territory of bootloaders on some systems, or bare-metal restore tools that don't need an o/s, or the likes of WinPE. NT's last-known-good thing isn't necessarily enough for what I would need, as it doesn't necessarily understand my definition of 'good'.

[CecilWard]

@karrika option 2 - 'kiosk mode' ? Would that be using a VM to sandbox things?

And option 3 - I ought to check this out. If I can find the right hardware converters - I might be able to get some help to hook up the pi's serial device to a protocol converter, so I could talk to the pi from my iPad over the Lan. - see other thread on that topic

[karrika]

I really need some way of doing easy backups and version rollback as well. I'd like to find out out about backup + restore alternatives that don't need a lot in the way of physical capabilities, given my personal situation. If this were an immensely huge and powerful system I would be looking at VM emulators and simoly copying an entire virtual-hd image file, which I have done in the past on windows nt boxes using microsoft's free vm system. But even if such a thing were available it wouldn't make sense on a pi, too greedy and would ruin performance horribly so much that it would be simply a show-stopper.

The way I would do is to use the cloud for all documents and conf files. A "cloud" could also just be an USB stick on the Pi.

Backing up the entire SD card is not important. The software changes and updates all the time.

So the best way to restore a SD card would be to install a stock raspbian and install the extra packages you are using. After that copy your personal changes to conf files in the /etc directory and reboot.

There is a cool command that you can use to get a list of packages you have in your pi.

Code: Select all

apt-mark showmanual > pkglist

This shows which packages you have installed manually. You can also mark packages as "auto" or "manual" with the apt-mark command.

You can also set a package back to auto with

Code: Select all

apt-mark auto pkgname

The packages marked "auto" are just dependencies that come automatically if needed.

If you want to install the same packages to another pi you can simply use xargs.

Code: Select all

xargs sudo apt-get install < pkglist