Monday, October 17, 2011

ssh and ddwrt

At Berkeley LUG I had a quick discussion about ssh, and since I have some things setup in my home network I thought it would be nice to share some details.

(Some names may be changed to protect the innocent.)

First of all I detail my network setup:

My roommate has Comcast internet with a Netgear router and behind that I have a WRT54G running DD-wrt.  The Netgear gives addresses in the 192.168.0.xxx And my DD-wrt is at a fixed ip 192.168.0.52 on the Netgear.

(In your own setup you would have one router and a linux server that is always on and running ssh server ready for connection.)  

Now the default port for ssh is 22.  But for security reasons it is common to listen on a different port -- a high one over 1024.  Lets say we use 12345 for the port. 

On the Netgear I set up forwarding  incoming port 12345 goes to 22 on 192.168.0.52  On most routers this can be set on a single page but on the Netgear it takes 2. 




And here is how ssh server is  set up in DDwrt.



Note what I have under the remote section.  I have enabled ssh remote management and set the port to 12345.  I recommend not enabling web management as this may not be very secure.  (The ddwrt version I am running has an unpatched vulnerability in its web server and it is not a good idea to expose this to the web)  Anyways I will show you soon how to access the web management through the ssh tunnel. 


  Next we go to the services tab.  In the secure shell section enable sshd and forwarding.  I don't like to use password login.  I prefer to use ssh keys instead and I feel it is much more secure. 

How does this work:  
I have a ssh server -- in this case it is the ddwrt router that I have at home.  

And I have a client -- a laptop that I take into Starbucks and I want it to connect to the ddwrt for access to my home network.  

On the laptop client I create a key pair which identifies the machine.  So when I try to initiate ssh connection the server (ddwrt) checks for the identity of the client (laptop in Starbucks) via these keys.  
I don't know how this works exactly, but this is how I understand it:  It uses a public/private key system.  Only one of the pair is ever sent over the net and if you have the other you can verify.  

On the laptop create a key pair: (commands italics and output in bold my comments are regular) 

tom@tom-eee:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tom/.ssh/id_rsa):
.ssh/id_rsa2
Here entering nothing leaves the default /home/tom/.ssh/id_rsa but since I have one there already I save to (/home/tom).ssh/id_rsa2
Enter passphrase (empty for no passphrase): 
Password protect your key.  If you happen to leave your laptop unattended at Starbucks, a person without the password will be unable to unlock the key and make ssh connection to your home network. 
Enter same passphrase again:
Your identification has been saved in .ssh/id_rsa2.
Your public key has been saved in .ssh/id_rsa2.pub.
The key fingerprint is:
b5:a9:89:85:63:1a:31:54:0a:9e:39:76:2f:1e:ce:84 tom@tom-eee
The key's randomart image is:
+--[ RSA 2048]----+
|  . ...          |
| . = .           |
|  * =     .      |
| . + + . . o     |
|  E = = S o      |
|   = * + o       |
|    = . o        |
|                 |
|                 |
+-----------------+
tom@tom-eee:~$
ls .ssh
id_rsa  id_rsa2  id_rsa2.pub  id_rsa.pub  known_hosts

tom@tom-eee:~$ cat .ssh/id_rsa2.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDB9EHVndvq9O/4SoR7ZXiZ5E+QU8lecdWIBxlpoyRokJUNgnJoycK5qQUosMdwF/XDzmvXOB5UCMzpGPtNPnOYv1kl6zqcJ92kz0HB9YhhdzPKz7o3/WB+iG74gn+iHgHdfb4cHgL/afaDp2RADRANJ/cAKrP3sdWAyWCyZsSEsEjJlHFc1xx3OsNtmprEnFB8kI2h+aavOSlw6W0B36kU7PofjxMHNzLeMTUSmN6neoRjPHHu0u44HJIFLA8AEVzMealKOXpBXTWuKDyEGece5ijRVdrJlc83vcgbqrBJC70fHVZPl+3AM0AxjBKhiaBiJ+xRFywYGQ8zb1CuQm0j tom@tom-eee


The id_rsa.pub is the key file that you place on the server.  In the case of ddwrt you would copy all that (from the ssh-rsa to the you@machinename in my case it is tom@tom-eee) and paste into the Authorized Keys box.  Save and reboot ddwrt. 

Now lets try it out:  

tom@tom-eee:~$ ssh -p 12345 root@xxx.xxx.xxx.xxx
 The xxx are hiding my ip address.  Note the form -p 12345 specifies that I want to use ssh with port 12345 instead of the default 22.  root is the only user on DD-wrt, but typically you would use your own login.  @xxx.xxx.xxx.xxx is the ip address on the wan side of your router.  In my case it is the wan ip of my roommates Netgear router.
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
==========================================================

 ____  ___    __        ______ _____         ____  _  _
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || |
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_|

                       DD-WRT v24
                   http://www.dd-wrt.com

==========================================================


BusyBox v1.11.1 (2008-07-27 16:38:08 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@DD-WRT:~# 


Ok now we are at a command prompt of my DDwrt router at home.  Hmmm, my mythtv server should be on right now recording a show.

root@DD-WRT:~# ssh tom@192.168.247.101
tom@192.168.247.101's password:
Linux tom-myth 2.6.32-34-generic #77-Ubuntu SMP Tue Sep 13 19:39:17 UTC 2011 x86_64 GNU/Linux
Ubuntu 10.04.3 LTS

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/

3 packages can be updated.
0 updates are security updates.

Last login: Tue Oct 11 18:43:13 2011 from dd-wrt
tom@tom-myth:~$
pwd
/home/tom
tom@tom-myth:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION="Ubuntu 10.04.3 LTS"
tom@tom-myth:~$


So there I am in a ssh pipe to my ddwrt and from the ddwrt I ssh to my mythtv box.  But you know I normally use the mythweb page to set things up on mythtv.  

tom@tom-myth:~$ exit
logout
I get out of the ssh session to tom-myth
root@DD-WRT:~# exit
Get out of the ssh session to the ddwrt router


Ok let's access the ddwrt setup webpage through an ssh tunnel.
Here I do a port forward.  Forward my local port 8081 (localhost:8081 on my laptop) to port 80 on my ddwrt router over the ssh tunnel.  The command option is -L for forwarding a local port (i.e. localhost or 127.0.0.1).  next is the local port 8081 then the ip of the target machine (in this case the lan side ip address of ddwrt) then port 80 for the web server. 

>> Note we forward only high number local ports 8080 or anything over 1024 on localhost.  Low local ports are privileged and can only be forwarded by root. 

tom@tom-eee:~$ ssh  -p 12345 -L 8081:192.168.247.1:80 root@xxx.xxx.xxx.xxx
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
==========================================================

 ____  ___    __        ______ _____         ____  _  _
 | _ \| _ \   \ \      / /  _ \_   _| __   _|___ \| || |
 || | || ||____\ \ /\ / /| |_) || |   \ \ / / __) | || |_
 ||_| ||_||_____\ V  V / |  _ < | |    \ V / / __/|__   _|
 |___/|___/      \_/\_/  |_| \_\|_|     \_/ |_____|  |_|

                       DD-WRT v24
                   http://www.dd-wrt.com

==========================================================
sh: /usr/X11R6/bin/xauth: not found


BusyBox v1.11.1 (2008-07-27 16:38:08 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@DD-WRT:~#



Open a tab in Firefox and type localhost:8081




There we go -- this is the ddwrt web control panel.


Say I would like to access mythweb (the mythtv webserver running on my box at home.)  From the ddwrt status page I can see that my mythtv server has ip 192.168.247.101 So lets forward another local port, say 8080, to port 80 on 192.168.247.101 (my mythtv server) 


It is a nice trick that while you are in a ssh session you can modify it and add port forwards.  Just type at the above prompt:
~C
(Note the ~C won't show but the next prompt will appear
ssh> -L 8080:192.168.247.101:80
Forwarding port.


The 192.168.247.101 is the address of my mythbox and 80 is the port. The -L 8080 means forward localhost port 8080.  

So what happens  is a request from my laptop for  localhost:8080 is forwarded through the tunnel  to port 80 on 192.168.247.101 (the webserver on 192.168.247.101)  

You see the ddwrt router can forward packets to any of my home machines so I can reach any of them via a port forward. 

Lets open a tab in Firefox and enter localhost:8080/mythweb 


I can click on status to see what the mythtv server is up to:  


Well it is not currently recording but if I scroll down I see it has just finished recording and is searching and marking the commercials:  




Now lets say you want to access a windows machine on your network via RDP (remote desktop protocol)  Actually I don't have a windows machine currently but my mythtv server does RDP. 

root@DD-WRT:~# 
 ~C  
Get into command mode (~C won't appear but you will see the ssh prompt)
and we will forward  RDP (port 3389) on localhost to RDP on  mythtv (192.168.247.101)

ssh> -L 3389:192.168.247.101:3389
Forwarding port. 


Now we open an RDP client on my laptop (Terminal server client in Ubuntu) and
connect to RDP on localhost. 

 (connect button is hidden in the screenshot above as the dialog box is not resizable and my netbook has a low resolution) 



And here is the result.  This is my mythtv server desktop in a window on my laptop. 


That is it for now.  I hope it all makes sense.  

Soon I will have a post about forwarding remote ports.  Specifically an example showing how to access a server behind a firewall that won't allow incoming connections.  

And when I figure out for myself how to forward X, I'll be sure to let you know. 

No comments:

Post a Comment