Dropbear SSH keys and autossh on OpenWRT

I have a box on Amazon EC2. And I want to have my OpenWRT that is behind IPv4 CGN and have public IPv6 to be reachable from IPv4 Internet. The best idea is to use ssh reverse tunnel connected with autossh to keep connection going.

The very first think is to test if I can connect to my Amazon instance from my OpenWRT:

root@OpenWrt:~# ssh 54.111.111.111
Host '54.111.111.111' is not in the trusted hosts file.
(ssh-rsa fingerprint md5 0f:51:11:11:11:11:11:11:11:11:11:11:11:11:11:11)
Do you want to continue connecting? (y/n) y
root@54.111.111.111's password:

At this point the public key of remote host will be added to .ssh/known_hosts. It is important as we can't have autossh to interact with console in future.

root@OpenWrt:~# cat .ssh/known_hosts
2001:1111:1111:1111::1111:1111 ssh-rsa AAAAB3N.......
54.111.111.111 ssh-rsa AAAAB3N..........

Now we need to generate public/private key pair we will be using to connect to our Amazon instance. Invoke following:

root@OpenWrt:~# dropbearkey -t rsa -f .ssh/autossh
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3N....... root@OpenWrt
Fingerprint: md5 80:e1:11:11:11:11:11:11:11:11:11:11:11:11:11:11

We now have a public key to put in ~/.ssh/authorized_keys on remote server. If you ever need to view your public key again, use: dropbearkey -y -f .ssh/autossh. Also we will need to open port in Amazon Security Group, as well as know private IP of our Amazon EC2 box:
On Amazon server:
nano .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

Now we can do a dry run for ssh and check if we will connect to EC2 instance with ssh:

root@OpenWrt:~# ssh -i .ssh/autossh -l bart 54.111.111.111
Linux ip-10-222-222-222 3.2.0-4-686-pae #1 SMP Debian 3.2.65-1+deb7u2 i686

 The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Nov 14 21:48:06 2013 from 194.73.124.83

First success - we are password less on remote server. It means that all keys are set correctly and connection is actually working. Now let's configure autossh (note that remote port will be on private interface not on loopback of Amazon instance):
root@OpenWrt:~# vi /etc/config/autossh
config autossh
        option ssh      '-i /root/.ssh/autossh -N -T -R 10.222.222.222:2222:localhost:22 bart@54.111.111.111'
        option gatetime '0'
        option monitorport      '20000'
        option poll     '600'

And test it:
root@OpenWrt:~# cd /etc/init.d/
root@OpenWrt:/etc/init.d# ./autossh start
root@OpenWrt:/etc/init.d# ps
  PID USER       VSZ STAT COMMAND
14640 root      1372 S    -ash
14920 root       788 S    /usr/sbin/autossh -M 20000    -i /root/.ssh/autossh -N -T -R 10.29.177.230:2222:localhost:22 bart@54.221.223.175
14921 root      1216 R    /usr/bin/ssh -L 20000:127.0.0.1:20000 -R 20000:127.0.0.1:20001 -i /root/.ssh/autossh -N -T -R 10.222.222.222:2222:localhost:22 bart@54.111.111.111
14922 root      1360 R    ps

It works. However there will be one more surprise. When examining Amazon EC2 host we will find that our tunnel listen on localhost so it is available only locally:

admin@ip-10-222-222-222:~$ netstat -tanp
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:3690            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:2222          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:20000         0.0.0.0:*               LISTEN      -

It have to be fixed by modyfying remote server /etc/ssh/sshd_config file - option GatewayPorts must be set to yes.

Comments

Post a Comment

Popular posts from this blog

Hardening OpenWRT - adding non-root user account

I have at home an OpenWRT on TP-Link 1043ND. As I'm most of the time out of my home, I use this for two functions:  - as reliable WiFi Access Point  - as last resort remote access device  - as a box used to wake up other Ethernet enabled devices @ home. As this box is exposed to Internet via IPv6 address, I decided to harden it a little. 1. Adding extra non privileged user account: root@OpenWrt:~# opkg update root@OpenWrt:~# opkg install shadow-useradd root@OpenWrt:~# mkdir /home root@OpenWrt:~# useradd -D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL= SKEL=/etc/skel CREATE_MAIL_SPOOL=no root@OpenWrt:~# useradd -m -s /bin/ash bart root@OpenWrt:~# cat /etc/passwd root:x:0:0:root:/root:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false bart:x:1000:1000::/home/bart:/bin/ash root@OpenWrt:~# passwd bart Changing password for bart New passw
Read more

SSH Tunel with OpenWRT

You need to install OpenSSH client: root@OpenWrt:~# opkg update root@OpenWrt:~# opkg install openssh-client Now OpenSSH client replaced DropBear client: root@OpenWrt:~# ls -l /usr/bin/ssh -rwxr-xr-x    1 root     root        590667 May 24 14:54 /usr/bin/ssh root@OpenWrt:~# ls -l /rom/usr/bin/ssh lrwxrwxrwx    1 root     root            16 Aug 19  2016 /rom/usr/bin/ssh -> ../sbin/dropbear root@OpenWrt:~# ls -l /overlay/upper/usr/bin/ssh -rwxr-xr-x    1 root     root        590667 May 24 14:54 /overlay/upper/usr/bin/ssh Can you spot a difference: root@OpenWrt:~# ssh usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]            [-D [bind_address:]port] [-E log_file] [-e escape_char]            [-F configfile] [-I pkcs11] [-i identity_file]            [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]            [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]            [-S ctl_path] [-W ho
Read more