SSH Tunneling

[J@ck]

I apologize for this newbie question, as I have only very basic knowledge in that area.

Until now I used an old Cisco Router with DD-WRT and the ssh tunneling, as I wanted to surf from another location via home network (opened ssh tunnel with putty and set proxy settings in Firefox) -> worked very well, only for the Firefox (what I wanted)!

Now, the old router is not working proberly, I switched to Asus RT-AC66U and flashed it with AsusWRT-Merlin build. All looks very good, but I have no idea, how to set up again my ssh tunnel.
Can anybody help me please?

Thank you!

 

[Nerre]

I think it should work as before, as long as you set the router up for external ssh access.

But IMO you should try to create a regular user account to avoid using the admin account for the tunnel.

Not 100% sure how to do that on the router since I instead port forward ssh to a machine on my LAN and use that for tunneling. But I guess you just need to append the new user to /etc/passwd and /etc/shadow. You will have to look up how to create the password hash for /etc/shadow. I think it can be done using openssl.

 

[Juggler]

Also you have to enable tunneling (allow ssh port forwarding) for ssh in web gui.

 

[J@ck]

Found it!

Thank you all, I did it in the gui:

On Router
Advanced Settings -> System
Enable SSH: Yes
Allow SSH Port Forwarding: Yes
SSH service port: Any port, which is not used in port forwarding (default 22)
Allow SSH access from WAN: Yes
Allow SSH password login: Yes

In Putty
Host Name (your home IP)
Port: The port you set in SSH service port
Protocol SSH

In Firefox
Connection Settings
Manual proxy configuration
SOCKS Host: localhost (Port 8080)

 

[bread19]

I followed as you did for ssh tunneling, and it did work. Thanks.
By the way, is there a way to add user for ssh? Since, I am trying to use the ssh tunneling with few people, but I do not want to share the master account password with everyone.

Anyone can help?

 

[RMerlin]

I followed as you did for ssh tunneling, and it did work. Thanks.
By the way, is there a way to add user for ssh? Since, I am trying to use the ssh tunneling with few people, but I do not want to share the master account password with everyone.

Anyone can help?

You could use SSH keys for authentication.

 

[Nerre]

I have used an approach like:

cat /mnt/optware/etc/passwd >>/etc/passwd
cat /mnt/optware/etc/shadow >>/etc/shadow

That adds content to the dunamically created /etc/passwd and /etc/shadow. Not sure from which script to run in on an Asus router, I guess services-start might be and idea. Or maybe wan-start. (It depends on when the original files are created.)

It means that the two files in /mnt/optware/etc need to be created. The easiest way is probably to copy the relevant lines from /etc/passwd and /etc/shadow on another linux system, but you can also create the files yourself.

Here's some info on their content
http://tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html

And here's info on how you create a password hash using openssl
http://www.madboa.com/geek/openssl/#passwd

 

[mintoo]

I know the topic is very old, but it describes exactly the problem I have.
I want to create an SSH tunnel for a web browser. I don't want it to be used in the root/admin account.
Is there a way to create a read-only user? Only for SSH tunnel?

 

[martinr]

I know the topic is very old, but it describes exactly the problem I have.
I want to create an SSH tunnel for a web browser. I don't want it to be used in the root/admin account.
Is there a way to create a read-only user? Only for SSH tunnel?

Welcome to the forum.

If, what you want to do is to browse safely from a remote network with your home router as the first port of call (to benefit from all its security layers), then the modern way to do this is to set up OpenVPN Server on your router and then make the OpenVPN connection from your remote device, and then it's exactly as it would be as if you were sitting inside your own home. That's the way most of us do it. On the other hand, maybe, for nostalgic reasons or just to stop you from getting rusty with SSH, perhaps you specifically want to do it using SSH dynamic port forwarding?

 

[mintoo]

I know this can be achieved using openVPN. However, I think OpenVPN is more suitable for bigger tasks.
I don't need to connect to another network to be part of it when I just want to browse the website.
SSH is probably more appropriate in this case. I even think that SSH is less demanding on the processing power of the router than openVPN in this application. If I am wrong, please explain.

 

[L&LD]

ssh is not more appropriate if you are enabling in on the WAN port. That is a known security risk for your entire network.

 

[mintoo]

I understand. Can you give more details about the security risks in SSH?

 

[martinr]

I understand. Can you give more details about the security risks in SSH?

There’s some useful info here https://www.snbforums.com/threads/question-about-sshd.56135/

 

[mintoo]

I read carefully the link you sent me, as well as others like it. If I understand correctly, all the concerns are about SSH login as root. I think that after meeting a few conditions, what I want to achieve will be safe for my network:
- change of port for SSH,
- creating a new account as non-root.
Additionally, I want to use the keys to log in, not the login/password.

For now, I'm testing what the router OS will allow me to do.
What I was able to do:

1. Add an entry to /etc/ passwd

echo "newuser:x:1009:1009:SSH tunnel account only:/home/newuser:/bin/sh" >> /etc/ passwd

2. Add an entry to /etc/ group

echo "newuser:x:1009:" >> /etc/ group:

3. Add an entry to /etc/ shadow

echo "newuser::0:0:99999:7:0:0:" >> /etc/ shadow

4. Create a home directory for the new user

mkdir /home/newuser
chown newuser /home/newuser

5. Add/change the password

chpasswd
newuser:add_password

After that, you can log in to the system via SSH to the newuser account. This is a non-root user account.
Of course, at the moment, after rebooting the router, all changes will be lost. However, they can be placed in the JFFS part to make them permanent.

Can any of the experienced merlin/linux users have a look if I have missed something? I take my first steps with my own settings.
Will such settings in the router allow to run a secure SSH tunnel without the risk of breaking into the system?

Now I need to configure login with public and private key pair for the newuser. I hope that I can do it too. Maybe some hint where to put the public key?

 

[mintoo]

Can I ask the forum maintainer to edit the above post, which I have just edited, and remove the spaces in the CODE field next to the paths:
/etc/( )passwd
/etc/( )group
/etc/( )shadow

I don't know why, but without this space I couldn't post on the forum. Is this a bug in the forum?
After that, this entry can also be deleted.

 

[ColinTaylor]

I don't know why, but without this space I couldn't post on the forum. Is this a bug in the forum?

It's not a bug. It's a security feature to stop people embedding malware in posts.

 

[mintoo]

I can connect to my router via ssh but unfortunately firefox won't work with this tunnel.
PR_CONNECT_RESET_ERROR
When I tunnel to another server with the same putty settings, everything works fine.