lunedì 23 gennaio 2012

OPENWRT - Reverse tunnel with SSH

I want to reach a router that is connected to the net using like gateway a USB dongle, the problem is that my network provider use a NAT that doesn't allow to reach the dongle with a public ip.
The solution is a "reverse tunnel" (in this case with SSH) that is initiate from the remote host we want to reach (the OpenWRT router) to a SSH server that in my case is an Ubuntu 10.04 box.
OPENWRT use as SSH client dropbear, a lightweight version that is compatible with public key authentication of the standard openSSH.


Generate a valid public key on the OpenWRT router with dropbear in .ssh folder . NO PUBLIC KEY FILES HAVE TO BE INSIDE THIS FOLDER OTHERWISE DROPBEARKEY WILL GENERATE AN ERROR!!

root@OpenWrt:~/.ssh# cd /root/.ssh/
root@OpenWrt:~/.ssh# dropbearkey -t rsa -f id_rsa


The output shold be something like that

root@OpenWrt:~/.ssh# dropbearkey -t rsa -f id_rsa
Will output 1024 bit rsa secret key to 'id_rsa'
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgwCZfO3SRHCmekstO+tLRS4Yj3a0/8tCeWgXbQLI+3dv+wqZKS1wfOlLviRA9yj124CoAAAAB3NzaC1yc2EAAAADAQABAAAAgwCZfO3SRHCmekstO+tLRS4Yj3a0/8tCeWgXbQLI+3dv+wqZKS1wfOlLviRA9yj124Co
V6GRZbzPmJ+b root@OpenWrt
Fingerprint: md5 ac:a4:aa:f8:a2:a7:e8:ae:b9:ad:aa:2e:a4:eb:a0:a7


Copy the string of the generated public key in authorized_keys in the .ssh folder of the SSH server (ssh-rsa ..... root@OpenWrt) , I used scp command but you can do it in every way , by hand for example.


root@OpenWrt:~/.ssh# cd /root/.ssh/
root@OpenWrt:~/.ssh# scp -P 1022 authorized_keys USER_SERVER@SERVERSSH:/home/USER_SERVER/.ssh/

Now it should be possible to authenticate with the public key and without password

Note that this 2 commands are equivalent with the dropbear client

root@OpenWrt:~/.ssh# dbclient -i ~/.ssh/id_rsa -y -p 1022 USER_SERVER@SERVERSSH #equivalent to
root@OpenWrt:~/.ssh# ssh -i ~/.ssh/id_rsa -y -p 1022 USER_SERVER@SERVERSSH

This is the command to make the tunnel ssh run in background (this is necessary if you want to put it in a script)


/usr/bin/dbclient -f -N -R 1500:localhost:22 -p 1022 USER_SERVER@SERVERSSH -i /root/.ssh/id_rsa -y


Now logging in the SSH server shell with this command we will be able to reach the OpenWRT shell using port 1500 of the SSH server and using the tunnel we have create.


USER_SERVER@SERVERSSH:~/ssh root@localhost -p 1500
Pubblicato da alle

2 commenti:

  1. Unknown25 ottobre 2016 alle ore 22:37

    Hi,
    Thanks for this step by step document.
    I can successfully login to server using the dbclient, however when i tries the ssh command, it still prompts me to enter password.
    Any ideas why is this happening?

    RispondiElimina
    Risposte
    1. givlio26 ottobre 2016 alle ore 15:42

      Hello, dbclient is equivalent to ssh command, both should work at the same way. Try to check also the authorized_keys file.
      I don't know if I understand properly your question, try to be more precise.
      Bye

      Elimina

Iscriviti a: Commenti sul post (Atom)