Host/Target Setup and Configuration
DRIVE OS Linux User Setup
This topic describes how to setup the networking between the host system and the target system, target user account setup and environment for cross-compilation.
DRIVE OS Linux User Setup
When you power on the system for the first time, you are prompted to enter a username, prompted to enter a password, and prompted to confirm your password.
The following steps is the sequence of prompts to set your username and password.
1. Allow the system to power on and boot up the operating system. Once the operating system boots, you are prompted to enter a username.
Please enter new username to replace username nvidia and press enter:
2. If you do not see a prompt, press ENTER on the keyboard and the service re-prompts as follows:
New username is empty.
Please enter new username to replace username nvidia and press enter:
Enter a valid username that satisfies the regex ^[a-z_][a-z0-9_-]{0,31}$, which implies:
• The username must start with only lowercase letters or an underscore(_).
• The second and subsequent characters can be a lower-case alphabet characters, numbers, underscores(_), or a hyphen(-).
• The username must be less than or equal to 32 characters long.
The backspace keystroke is not available when entering the username due to bash shell limitations. Using the backspace keystroke produces an invalid character (^H) in the username and submitting the invalid username causes the system to shut down. Restart the system to retry again.
If you enter an incorrect username and want to correct it, simply hit a [backspace] to invalidate the username and press [ENTER]. The system shuts down, and you can restart the system to retry again.
3. After entering the username, you are required to enter a valid password. Enter a valid password and then re-enter the same password as a confirmation.
Enter new UNIX password:
Retype new UNIX password:
If the passwords do not match, drive-usersetup executes a system shutdown.
If the password entered is empty, you get two (2) more chances to set a non-empty password. If you fail all three (3) tries, drive-usersetup executes a system shutdown.
4. After entering a valid password, the user account is successfully set up and drive-usersetup displays the banner below.
==============================================================
Your username and password has been successfully set!
Please login using the new username nvidia and password set above.
Please note your username and password, as you will not be able to reset/recover your username or password. If either is lost, please re-flash the platform as per SDK documentation.
==============================================================
By pressing the [ENTER] key, the system continues to boot to a login prompt where you will be required to enter your username and password.
If you provide an invalid username or password, the system will gracefully shutdown. If such a scenario occurs, you can still re-power the system again and DRIVE OS Linux User Setup will prompt from the beginning. The DRIVE OS Linux user setup continues to prompt the end-user until the user setup is successfully completed.
DRIVE OS Linux User Management
NVIDIA DRIVE OS Linux uses Ubuntu’s tools to manage users. Only admin-users (i.e., sudoers or root user) can change user accounts. The following steps assume that you are an admin user. Enter the password of your current user.
Steps to Change the Username and Password
The following steps describe how to change your username and password in the DRIVE OS Linux filesystem.
Changing the Username
1. Enable administrative account.
• Enable the root administrative account by setting a password for the root account. Use the following command to set a password for root account. You will be prompted for the password of your current user.
$ sudo passwd
2. Close existing user sessions.
• Log out of any and all sessions, including GUI and consoles of the user that you are changing the username for. You cannot change the username if a session is still alive.
• Use the following command to exit console sessions:
$ exit
3. Log into the system as root account.
• After completing step #2, you will be presented with a login prompt. Proceed to log in using the credentials you established for the root account.
4. Change the username.
• Change the username of the user from ${USERNAME1} to ${USERNAME2} with the following commands:
$ usermod -m -d /home/${USERNAME2} -l ${USERNAME2} ${USERNAME1}
$ groupmod -n ${USERNAME2} ${USERNAME1}
• Log out of the root account using the following command:
$ exit
You have successfully changed the username. Proceed to log in with the new username.
Changing the Password
1. Enter the following command to update password.
$ passwd
Enter your existing password and enter the new password.
Changing password for <user>.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully.
2. Enter the current password and then the new password.
Adding a Non-Admin User
Execute adduser with the new username as input and fill in the information when prompted.
$ sudo adduser test
Example
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
Creating home directory `/home/test' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
Adding an Admin User
Create an admin user with the following two steps:
2. Make the created user <user> an admin user with the command below. Enter the password of your current user.
$ sudo usermod -a -G adm,audio,cdrom,dialout,dip,floppy,plugdev,sudo,video,weston-launch <user>
Removing a User
The steps to remove an admin or non-admin users are identical. Removing users using the steps below also removes their /home/<user> directory.
To remove a user:
$ sudo deluser --backup --remove-home <user>
This backs up and creates a tarball (<user>.tar.bz2) of the deleted user data in the current working directory.
Setting Password as an Admin User
As admin-users are sudoers, they can set the password of any user account with username <username> using the command below. Enter the password of your current user.
$ sudo passwd <username>
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully.
Updating Self-Password as a Non-Admin User
Non-admin users can only update their own passwords. The steps below update your user account’s password:
1. Enter the following command:
$ passwd
Enter your existing password and enter the new password.
Changing password for <user>.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully.
2. Enter the current password and then the new password.
DRIVE OS Linux SSH Server
Note: | In DRIVE OS Linux filesystems, SSH server key and user accounts are not persistent across flashing. After re-flashing, new user accounts and new SSH server keys are created and the old ones destroyed. |
Setting Up SSH Server Service
NVIDIA DRIVE OS Linux filesystems contain the SSH server facility. Use the steps below as root user to start and configure SSH server service to run on every boot:
1. Remove the stamp file to unblock SSH server:
$ sudo rm -f /etc/ssh/sshd_not_to_be_run
2. Start SSH server service on the current boot:
$ sudo systemctl start ssh
3. Start service to add SSH host-keys to the target:
$ sudo systemctl start nv_ssh_host_keys
After completing the steps above, the SSH server service is started, and is run on every boot. SSH clients may now connect to this SSH server.
SSH Server Configuration File
NVIDIA DRIVE OS Linux contains an SSH server configuration file
sshd_config that pre-configures the following :
• Permits only connections with Elliptic Curve Digital Signature Algorithm (ECDSA) host key.
• Disables compression.
• Permits specific key exchange, host signature, and session encryption algorithms.
NVIDIA DRIVE OS Linux recommends that you configure strong security options for the following SSH parameters:
• Client Verification via key exchange: Parameter
KexAlgorithms from
sshd_config to set the supported key type(s) for client verification.
• Host Signature: Parameter
HostbasedAcceptedKeyTypes from
sshd_config to set the supported key type(s) for host verification.
• Session Encryption: Parameter
Ciphers from
sshd_config to set the supported ssh session encryption algorithm(s).
The table below suggests recommended strong values to enable recommended security features; the default option is highlighted in the table below.:
Option | Client Verification | Host Signature | Session Encryption |
1 | ecdh-sha2-nistp256 ECDH [SP 800-56A] over secp256r1 [SEC2-V2] with SHA-256 [FIPS 180-4] | ecdsa-sha2-nistp256-cert-v01@openssh.com ECDSA [FIPS 186-4][ANS X9.62] over secp256r1 [SEC2-V2] with SHA-256 [FIPS 180-4] | aes128-gcm@openssh.com GCM [SP 800-38D] with AES-128 [FIPS 197] |
2 | ecdh-sha2-nistp384 ECDH [SP 800-56A] over secp384r1 [SEC2-V2] with SHA-384 [FIPS 180-4] | ecdsa-sha2-nistp384-cert-v01@openssh.com ECDSA [FIPS 186-4][ANS X9.62] over secp384r1 [SEC2-V2] with SHA-384 [FIPS 180-4] | aes256-gcm@openssh.com GCM [SP 800-38D] with AES-256 [FIPS 197] |
3 | (Default) ecdh-sha2-nistp521 ECDH [SP 800-56A] over secp521r1 [SEC2-V2] with SHA-512 [FIPS 180-4] | (Default) ecdsa-sha2-nistp521-cert-v01@openssh.com ECDSA [FIPS 186-4][ANS X9.62] over secp521r1 [SEC2-V2] with SHA-512 [FIPS 180-4] | (Default)
aes256-gcm@openssh.com GCM [SP 800-38D] with AES-256 [FIPS 197] |
Switching Options in the SSHD Configuration File
DRIVE OS Linux contains the snippets for all three (3) options with exactly one option (option 3) enabled as shown below. The options 1, 2, and 3 are mutually exclusive and exactly only one option can be active at a time.
# option 1
# Use algorithms as per DRIVE recommended options: 1,2, or 3
#KexAlgorithms ecdh-sha2-nistp256
#HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com
#Ciphers aes128-gcm@openssh.com
# option 2
#KexAlgorithms ecdh-sha2-nistp384
#HostbasedAcceptedKeyTypes ecdsa-sha2-nistp384-cert-v01@openssh.com
#Ciphers aes256-gcm@openssh.com
# option 3 (default)
KexAlgorithms ecdh-sha2-nistp521
HostbasedAcceptedKeyTypes ecdsa-sha2-nistp521-cert-v01@openssh.com
Ciphers aes256-gcm@openssh.com
To switch from one option to another
1. Comment out the three (3) lines corresponding to the current option.
2. Uncomment the three (3) lines corresponding to the new option.
3. Restart SSHD using the command below as the root user:
$ sudo systemctl restart ssh
As an example, assume that the current option is option 3 (from the snippet above). To switch to option 2, execute the following steps:
1. Comment out the three (3) lines following # option 3.
2. Uncomment the three (3) lines from the line below # option 2 until the line above # option 3.
3. Restart SSHD using the command below as the root user:
$ sudo systemctl restart ssh
4. SSHD now uses encryption algorithms from option 2.
SSHD Disabling Password-Based Authentication
DRIVE OS Linux shipped SSHD allows password-based authentication as fallback when key-based authentication is not available. If password-based authentication is disabled, the client and server must connect through key based authentication. The following sections describe how to set up new keys, register them, disable the password, and use those keys to authenticate (instead of the password) to the ssh-server.
Create a new key-pair at the client side
The first step is to create a public/private key pair using the command:
$ ssh-keygen -t ecdsa
Continue through the prompts by pressing ENTER and these steps save the key to ~/.ssh.
Set up the server side to register key and disable password authentication
The next step is to copy contents of client public key ~/.ssh/id_ecdsa.pub created above to server path /etc/ssh/authorized_keys as the root user.
Open /etc/ssh/sshd_config and at the end of the file, add the following line (as root user):
PasswordAuthentication no
The above changes register the key and disable password authentication at the server side. Restart SSHD using the following command as the root user:
$ sudo systemctl restart ssh
Use the new key at the client side to connect to the server
Only the user who created the key can log in to the SSHD server (using the registered keys). At the client side, connect to the server using the ssh command:
$ ssh <user>@<target_ip>
