Introduction

This blog entry documents some unsorted instructions how to setup the popular Turris Omnia appliance.

Prerequsites

  • Turris Omnia with OS version 3.7 or higher
  • At least completion of the initial setup (first run)

Preparation

zsh

  • Install some pre-requisites:
1

opkg update && opkg install zsh
  • Change the desired user’s shell: vi /etc/passwd
1

root:x:0:0:root:/root:/bin/ash to root:x:0:0:root:/root:/bin/zsh
  • Reboot and SSH into the box again

Sudo user

  • SSH into the box (as root)
  • Install some pre-requisites:
1

opkg update && opkg install sudo shadow-useradd
  • Add a new user, lets say zak (and configure as needed):
1
2
3
4
5

useradd zak
passwd supersecret
mkdir -p /home/zak
chown zak:zak /home/zak
chmod 750 /home/zak
  • Modify the sudoers config as needed: visudo
1
2

# Allow all users in the wheel group to execute any cmd as root
%wheel ALL=(ALL) ALL
  • Add the newly created user to the wheel group:
1
2
3

# may be the wheel group does not exist
groupadd wheel
usermod -G wheel zak
  • Logout and SSH into box with the new user
  • Test if sudo works as expected:
1

sudo -l

Secure Web Interface

  • The following web server config assumes self-signed certificates, which is not recommended for production!
  • Install some pre-requisites:
1

opkg update && opkg install lighttpd-mod-redirect
  • Modify the following ssl config: sudo vi /etc/lighttpd/conf.d/ssl-enable.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd-self-signed.pem"
        ssl.use-sslv2 = "disable"
        ssl.use-sslv3 = "disable"
        ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
        ssl.honor-cipher-order = "enable"
}

$SERVER["socket"] == "[::]:443" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/lighttpd-self-signed.pem"
        ssl.use-sslv2 = "disable"
        ssl.use-sslv3 = "disable"
        ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
        ssl.honor-cipher-order = "enable"
}

$HTTP["scheme"] == "https" {
        # Add  'HTTP Strict Transport Security' header (HSTS) to sites
        setenv.add-response-header  += ( "Strict-Transport-Security" => "max-age=31536000; includeSubDomains" )
}
  • Add the following fragment to the web server config (just after the IPv6 listener line): vi /etc/lighttpd/lighttpd.conf
1
2
3
4
5
6
7
8
9

# Redirect http to https
$HTTP["scheme"] == "http" {
 $HTTP["host"] =~ ".*" {
 url.redirect = (".*" => "https://%0$0")
 }
 setenv.add-environment = (
 "HTTPS" => "on"
 )
}
  • Restart the web server and check if lighttpd is listening on port 80 and 443:
1
2

/etc/init.d/lighttpd restart
netstat -tulpen
  • On a separate client, test the configured ciphers and protocols:
1

nmap --script ssl-enum-ciphers -n -p 443 192.168.1.1
  • Open a web browser and enter the router IP or host name without https in order to see if being redirected