Sunday, October 28, 2007

Getting SSH working on the DNS-323

Ok, now that I've fun_plugged my DNS-323, the next step is to get some core services up and running. Telnet is already enabled by default when you do the fun_plug. The next item in the list is SSH.

There are two options here really; OpenSSH or DropBear. I'm going with DropBear since Fonz has kindly got it all packaged up as an addon for his fun_plug as compared to having to use chroot in the case of OpenSSH (no native binaries unfortunately).

So the first step is to grab the package from his site and unpack it into the / directory. Once done, go into /mnt/HD_a2/fun_plug.d/start/ as root, give it executable permissions (i.e. "chmod u+x dropbear.sh") and run the start script.

The very first time the script is run, it will create the necessary host keys in the fun_plug's etc directory and start the daemon; Subsequent runs will just start the daemon. You can verify that the daemon has started by checking for its process (i.e. issue the command "ps -ef grep dropbear" and you should see something similar to 26654 root /mnt/HD_a2/fun_plug.d/bin/dropbear -d ...).

To check that your server is running properly, try to connect to it using a SSH client like Putty. Remember to change the connection type to SSH and verify that the port is 22. You should be able to login using your username and password and get to a BusyBox prompt just like a typical Telnet session would.

Note that Putty may throw a security alert about some unknown host key when the connection is attempted (before you see the login prompt). This message can be safely ignored (just click "YES" to add to putty's registry) if and only if this is your first time connecting to the host system. Otherwise, it could mean that your host is no longer the same as originally connected and you ought to get that checked out.

Once you get to the above, you are pretty much set for a safer and more secured alternative to Telnet... Unless you are looking at using public-key authentication for even stronger security or for running automated jobs over SSH (such as remote backups).

Public-key authentication in SSH works like this: If you are on a client system accessing a host system, you will need a PRIVATE key on your client system and have the corresponding PUBLIC key registered as an authorized key in the host system.

First thing you need to do in the DNS-323 is to setup the appropriate home directory with the right permissions for the user. To do so, use the fonz script using the syntax "change-homedir.sh " followed by "store-passwd.sh" to make this change permanent (i.e. survive resets).

Next, create the necessary key-pair using Putty on the client and upload to the host system using this excellent guide (comes with step-by-step screenshots!). For the lazy and people familiar with PKI, the steps are:

  1. Create the key-pair using PuttyGen (with or without passphrase)
  2. Login to host system using the desired account id
  3. Cd to home directory (i.e. "cd ~")
  4. Create the sub-directory .ssh if it does not already exist (i.e. "mkdir .ssh")
  5. Cd into this directory (i.e. "cd ./.ssh")
  6. Create the file "authorized_keys" if it does not already exist (i.e. "touch ./authorized_keys")
  7. Make sure the file has the right permissions (i.e. "chmod 600 ./authorized_keys")
  8. Open the file in your favorite editor (i.e. "vi ./authorized_keys")
  9. Add the public key to the end of the file in ONE line (the public key should look something like this ssh-rsa AAAAB3NzaC1yc2EAaaaBJQAaAIEAjL2xAU2kNrdMViUpMbYL+H5/h2KlLo7hG1RHu/mh/3qLPxSnTrprVXYMgb+T9iJ8PkkiSWtU83Av7WSHVlsGeRAMXlNtkjpEsF/SIXsplrLqDdk1Fmy8uin++rTsjcdAYlnsa5TuQbRJ4bVXBkGTOPbkHNz0bPqzy/rMBZDbsdE= user@host. Make sure there is no line break in between!)
  10. Save it and you are done! (Repeat the steps above for other users as necessary)

3 comments:

Curtis said...

Handy information - thanks Sidney!

Anonymous said...

"ps -ef grep dropbear" --> you need a pipe in there before the grep.

InBonobo.com said...

it seems that change-homedir.sh has been dropped in the latest fonz incarnations..