All pages
Powered by GitBook
1 of 7

Installation FAQ

These guides cover our most commonly asked NoPorts installation questions

How to activate an atSignReuse your client atSign on another machineHow to name a deviceHow to generate SSH keysWhy activate the device atSign on the client?

How to activate an atSign

Steps for client and device atSigns

Overview

NoPorts software needs to be installed on both the machine you are going to connect to (device) and the machine you are going to connect from (client). NoPorts uses atSigns as addresses and you will need two, one for the client and one for the device

If you don't own a pair of atSigns/addresses, please visit the registrar before continuing.

Example client atSign

@sshnp_client

Example device atSign

@sshnp_device

Activate your atSigns

Activation of a particular atSign is only done once. During activation, cryptographic keys are cut and stored on your machine.

You will activate both the client atSign and the device atSign on your client machine, and you will then authorize your device(s) to use the device atSign.

Activate the client atSign

(1) Run the at_activate command for the client atSign

~/.local/bin/at_activate -a @<REPLACE>_client

(2) Enter the One Time Password (OTP) & Check your SPAM/PROMOTIONS folders

at_activate will pause and wait for the input of a one time pin (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message).

If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.

Once you receive the message, enter the pin into the application and press enter to continue. The application should proceed to create the cryptographic keys and store them in the ~/.atsign/keys/ directory with a filename that includes the atSign.

Activate the device atSign

1) Run the at_activate command for the device atSign

~/.local/bin/at_activate -a @<REPLACE>_device

2) Enter the One Time Password (OTP) & Check your SPAM/PROMOTIONS folders

Again, at_activate will pause and wait for the input of a one time pin (OTP) before you can continue. You should receive this pin to the contact information associated with the registration of your noports address (i.e. email or text message).

If you are using a gmail.com account we have seen that sometimes the OTP gets stuck in the SPAM or PROMOTIONS folder. If you do not see the OTP check those folders.

Once you receive the message, enter the pin into the application and press enter to continue. The application should proceed to create the cryptographic keys and store them in the ~/.atsign/keys/ directory with a filename that includes the atSign.

Reuse your client atSign on another machine

A review of two available methods

Want to use your atSign on a different machine?

You can:

A. Generate a new set of cryptographic keys (Recommended)

B. Copy the cryptographic keys from the machine where it's been activated in the past (Not recommended)

Option A) Generate a new set of cryptographic keys (Recommended)

To generate a new set of cryptographic keys, there are three main steps. They occur from two different machines, so pay careful attention to which machine you perform each step on.

"Old machine" is the machine that has the original set of cryptographic keys that were generated. "New machine" is the device you want the new set of cryptographic keys on. These new keys will have restricted permissions that only work with NoPorts, and cannot be used for generating other keys.

  1. [Old machine] Generate a Passcode

  2. [New machine] Enroll the new key pair (send a request for keys from the new machine)

  3. [Old machine] Approve the request

For detailed instructions, follow this guide:

Generate a new set of cryptographic keys

Option B) Copy the cryptographic keys from the machine where it's been activated in the past (Not recommended)

  • The atSign keys file will be located at ~/.atsign/keys/ directory with a filename that will include the atSign. Copy this file from your other machine to the same location on the machine that you are installing SSH No Ports on, using scp or similar.

Why don't we recommend this approach?

When you use method A, it creates a new set of cryptographic keys. These keys can be disabled individually, which means if a device's keys are compromised, you can disable those keys without affecting your other devices.

Generate a new set of cryptographic keys

"Old machine" is the machine that has the original set of cryptographic keys that were generated. "New machine" is the device you want the new set of cryptographic keys on.

Step 1) Generate a passcode from your Old machine

Choose the operating system that is running on your old machine.

Make sure to replace <REPLACE_client> with your client atSign

~/.local/bin/at_activate otp -a @<REPLACE_client>

1.1 Open the Windows installer program and click "Manage Keys"

1.2 Enter the atSign you wish to manage and click "Next"

1.3 Click "New OTP"

1.4 Wait a few seconds for the OTP to appear then proceed to Step 2 on the New machine

Step 2) Make an authorization request on your New machine

Choose the operating system that is running on your new machine.

Make sure to replace the appropriate values: <REPLACE_client> with your client atSign <client_device_name> with a unique name for the device <PASSCODE> with the passcode from Step 1

~/.local/bin/at_activate enroll -a @<REPLACE_client> \
  -s <PASSCODE> \
  -p noports \
  -k ~/.atsign/keys/@<REPLACE_client>_key.atKeys \
  -d <client_device_name> \
  -n "sshnp:rw,sshrvd:rw"

2.1 Open the Windows Installer and click "Generate Keys"

2.2 Enter the atSign you wish to transfer and click "Next"

2.3 Enter the OTP then press "Generate"

2.4 Proceed to Step 3. Once the request has been approved in Step 3, you should see this screen

Step 3) Approve the request on your Old machine

Choose the operating system that is running on your old machine.

Make sure to replace <client_device_name> with the device name from Step 2

~/.local/bin/at_activate approve -a @<REPLACE_client> \
  --arx noports \
  --drx <client_device_name>

If you aren't already on the "Manage Keys" screen, follow Steps 1.1 and 1.2 above.

3.1 Once step 2 is complete press refresh and the new request will appear

3.2 Approve or Deny the request

  • If the request looks incorrect, then press "Deny" to deny it, and start the process again.

  • If the request looks correct, then press "Approve" to approve it.

3.3 Once the request is approved, it should disappear from the installer, the new machine's enrollment should complete in a few seconds.

How to name a device

Each device atSign can be used for multiple devices and so each device needs a unique name.

The device name is limited to alphanumeric snake case (lowercase alphanumeric separated by _ ) up to 36 characters.

Example snake case device names

my_host
canary02
oci_mail_0001
dc_001_row_009_rack_0067_ru_014

How to generate SSH keys

Using ssh-keygen

SSH uses keys to authenticate as well as having a fallback of using passwords, but using keys is easier and more secure than "mypassword!". If you already are a seasoned user of SSH then you might have keys already, but if not, then on the client machine you can create a key pair using ssh-keygen.

Example ssh-keygen command to create SSH Key Pair

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519

Why activate the device atSign on the client?

When you activate an atSign, you are doing a handful of steps to prepare the atSign for use. One of these steps is cutting a unique set of cryptographic keys.

The first time you activate, this set of keys that gets generated is a set of management keys. These keys have full permissions to your atServer, the personalized service which powers your atSign.

We recommend cutting the management keys on the client for a few reasons:

  1. It's extremely important that you don't lose these keys:

    1. They are less likely to get lost on your client machine than on your device.

    2. If a device is stolen you still have your management keys to recover from the theft.

  2. For each device we can issue it's own set of cryptographic keys which has a few perks:

    1. This allows us to limit the permissions of those keys to the bare minimum required for NoPorts.

    2. If a device gets compromised, we can safely revoke that set of cryptographic keys, and limit the impact to your other devices.