This howto covers the setup and usage of the OpenSSH secure shell for remote command line access on Unslung. If you are switching from Dropbear, see also SwapFromDropbearToOpenSSH.
OpenSSH is a fully featured daemon which also requires the OpenSSL libraries. It is more sophisticated than Dropbear and has more advanced features such as agent forwarding. It may also get around some of the multiple user problems that people experienced with Dropbear.
This howto focus on the steps needed to setup OpenSSH under Unslung and use PuTTY, an SSH client for Windows, to access to your slug.
Install OpenSSH Server on Unslung
First of all, let's assume you have already installed Unslung and have activated the built-in telnet server. After you have installed OpenSSH you will no longer need telnet.
Install the OpenSSH package for Unslung, which includes the SSH daemon. You can do this by executing the following commands from a telnet session:
After installing the package, the OpenSSH server should be running. You can confirm this by running:
and look for a line something like the following:
Ok, so it's running. What the heck do you do now? If you are already familiar with OpenSSH then you can stop at this point because SSH is installed and working. If you want to perform additional configuration to use public key authentication, then read on. Do not close your telnet session, we will have to configure the server later on.
Note:: At this point, you can access your slug using an SSH client by typing in the root password, as you did for telnet access. While the security-paranoid won't be happy with this and will want to disable password access as described below, it is still more secure than telnet because the password is encrypted. If your slug is on a private network behind a firewall, then there is probably no need to go any further.
Notice: if you are switching from Dropbear you can stop it from running and free some memory. Either remove it after installing OpenSSH (run
Install and Configure PuTTY in Windows
You need to get an SSH client for your Windows box. PuTTY is good free client so that's what I'm going to talk about here. Download the Windows installer from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html and install it.
Now we need to generate a private/public key pair. Run Start->Programs->PuTTY->PuTTYgen, the key generation program, and click the "Generate" button to generate a new key pair. In the top part of the window you will see a text box showing the generated public key string, something like the following (the key here has been shortened for display purposes, your generated key will be a much longer string):
This is what we call the public key. It will be copied to the slug in the next section. Before that, we have to protect your private key (not shown) with a passphrase and save it to a file.
Notice: Make sure you are generating an SSH-2 RSA key in puttygen, neither SSH-1 nor SSH-2 DSA, as these keys won't work (at least that was my problem keeping me busy for hours...) (Peter, 1/27/2007)
Set your passphrase by typing it in the "Key passphrase" box and repeat it in the "Confirm passphrase". Make this passphrase reasonably long (>8 characters), easy to remember and significant to you but not to anyone else. This is especially true if you plan to make the NSLU2 visible on the Internet. Click on "Save private key" and save your private key to a file with the
Since we are initially generating a key pair for
Now what we need to do is load that public key as an authorized key for
Configure SSH Server for Public Key Access
For this example, we will be working to authorize the
Go back to the telnet session you have as the desired user, in this case
This should result in a folder which everyone can read but no one but the owner (i.e.
and look for a line which looks like the following (noting the drwxr-xr-x particularly):
Notice: Although you have set up a new home directory it will not be active until your next telnet session. Until you do this the home may still be '/' not '/root'. It is important that the SSH settings are off your new /root directory, not the system root.
Now change to your home directory and create the hidden directory for the SSH settings:
Now let's copy the public key to the
Notice: you can use a regular text editor, like
Finally, check that the
Ok, so that should get us ready for authentication using a public key. Furthermore, we can prevent anyone logging in via SSH without a key. To do this we need to edit the
Inside this file, change the
Notice: for the full set of configuration details for this file see the sshd_config man page.
Under the current version of the OpenSSH server for Unslung, you do not need to change anything in the startup script in order to read the updated version of the config file.
After storing the public key and setting up the server to accept only key authentication, you need to restart the
Connect to the Slug using PuTTY
Having set up the server as we want it all we have to do now is to connect with PuTTY. Run Start->Programs->PuTTY->PuTTY. The PuTTY configuration window will come up with the options for the server (IP address and port) which you need to set. Type in the slug IP adress in the "Host Name" field and select "SSH" as the protocol. Also set up the SSH authentication by key: on the "Category" menu on the left select "Connection", "SSH", "Auth", click on "Browse" and select the file with your saved private key.
Now click on "Open" and when requested, log in as
If you're still asked for a password, carefully check the file permissions through the whole path of
Configure SSH Authentication for Other Users
If you want to allow other users to use ssh to access the slug, you will need to create the users in the normal way using the Linksys web interface, update the
First, create the desired user through the Linksys web interface. After this, login to the slug as
The meaning of these fields is:
username:encrypted password:user id:group id:description:home directory:login shell
You have to define a home directory and change the login shell. The home directory can be a new directory created under
Now locate the line for the user you have just created and change the home directory (the sixth field of the line) to
Finally, change the login shell (the last field) to
After that, can just save the file.
Notice: if you change the login shell for an user account, you should be aware that this user will also be able to login using telnet, if the telnet server is enabled through the web interface.
Now we need to create the home directory for the user and set the appropriate permissions. Following our example, where the directory is
If you are using passwords to login via ssh, this is all you need to do. However, if you are using public key authentication, you will have to follow the steps mentioned above again to create a new key pair and save the public key in the
In your Windows machine, run
Use telnet to login to the slug as the new user, in order to create the
Save the public key to the
Now, use PuTTY to connect as the new user. Remember to use SSH as the protocol and set the private key file (under the "Category" menu, "Connection", "SSH", "Auth") to the new one that you have just created.
Notice: you may wish to add additional users via the adduser tool (a tool which is installable via ipkg). You will discover that after a user is created with adduser and a password was assigned, the password will be lost on next server restart. See ChangePasswordsFromTheCommandLine for info on how to correctly set up a persistent password via the command line.
You might want to consider overclocking the NSLU2 so that it'll run at full speed instead of half speed as supplied by Linksys.
If you want to use SFTP, then you need to install also the package openssh-sftp-server (At least I need it -thx1011). On OpenSlug 2.7Beta even after installing package openssh, you need this one. Then you can use, for example on windows side, the WinSCP freeware program, ou also, the integrated SFTP client into OpenSSH windows client. This will allow file transfer using SSH for remote access without exposing your Samba shares.
If you want to use KDE for accessing the file on your slug ala fish://firstname.lastname@example.org:22/ you have to install perl (ipkg install perl) in addition to openssh and openssl.
To do this login as root and execute:
You will also need to change the /dev/null permissions, otherwise you will get an SFTP connection error:
Remote access to files over SSH
If you want to be able to access your files, upload and download over SSH then you need an SCP client. For myself, wanting to access my files over the internet securely from my Windows box at work, I downloaded WinSCP (http://winscp.net/) and simply configured it up, by entering the IP address, pointing to the key file and entering the username. It worked out of the box, I could browse all the files on the SLUG as if logged in to console.
Mounting files via SHFS
If working with *nix systems, you can mount your your data on the NSLU2 via either LUFS or SHFS. I have found SHFS a bit easier to work with than LUFS, but if you're working with encrypted file systems LUFS is the way to go. SHFS requires Perl to be installed on the NSLU2, which is conveniently available as a package (ipkg install perl). For the mounting in SHFS, make sure all binaries and mount points have the appropriate ownership and accessibility.
Note: I like to sshfs to the NSLU2 from a user account other than root for security reasons. I'd like to be able to use only a key without a passphrase for easy auto-mounting, but if my account is compromised I'd rather not give root access to the slug.
If you are going to sshfs to the NSLU2 via a user account other than root you will need to permit other users to access /dev/null on the slug itself. If you don't do this, you will keep receiving a "remote host disconnected" message.
Remote access to Samba (Windows) shares over SSH
Using Bitvise Tunnelier
Bitvise Tunnelier (http://www.bitvise.com)is free for personal use and makes it very easy to set up regular port tunnelling sessions, using shared keys or passwords. There is also an excellent HowTo for setting up and configuring the port-forwarding interfaces for Windows
which may also be useful for people with general questions on how to tunnel samba shares, with instructions for setting up loopback interfaces in XP etc.
If you want to view Samba shares over SSH then you need to follow the following instructions - worked perfectly for me.
I have created a batch file which I use to run PLINK (part of Putty) with the tunnel settings (so no console window is necessary) as follows:
Note: the only ports you need to expose for SAMBA are 139 (pre-Windows 2000) and/or 445 (Windows 2000 and newer). This assumes you have set up the loopback adapter on 10.0.0.1 and removed all the bound services except TCP/IP and Client for Microsoft Networks.
Note-to-the-note: On my XP SP2 box I've had success adding the loopback adapter using a fixed IP and only disabling "File And Printer Sharing for Microsoft Networks" and "NetBIOS over TCP/IP" (leaving all other settings at default). This gets port 139 working (though not 445) and my shares seem quite happy to run through SSH. (Use "Add New Hardware", assign a fixed IP address, click on "Advanced", go to the "WINS" tab and select "Disable NetBIOS over TCP/IP".)
Note: to use create a file called tunnel.bat in the same folder as plink.exe. Load your keys into Pageant as normal and then simply run the batch file. remember that you need to have opened the SSH port (22) in your firewall etc as you would for SSH console sessions.
PuTTY Tray (http://www.xs4all.nl/~whaa/putty/) can be used instead of plink. The main advantage is that you don't need plink running in a window continuously. Instead, you can make it start minimized in the systray.
Cygwin is a Linux-like environment for Windows. With it you can install the latest OpenSSH? package and use it from the command line the same way you would in Linux. A good step-by-step installation tutorial can be found at http://pigtail.net/LRP/printsrv/cygwin-sshd.html(approve sites). Another option is CopSSH which installs a minimalistic version of Cygwin specifically meant for running OpenSSH?.
Once OpenSSH? is installed, create a loopback adapter in Windows (search Google.) Make sure to disable File and Printer Sharing for this adapter but leave Client for Microsoft Networks enabled. To make an SSH connection and tunnel the SMB protocol (port 445(approve sites)), use the following command:
Where 10.0.0.222 is the IP address of your loopback adapter and nslu2 is the IP address of your slug (the other switches should speed up the connection a bit; you can also specify -C to use SSH compression.) You should now be able to click Start/Run and type in \\10.0.0.222 to see your NSLU2 folders.
Change root jail
The following page describes how to setup a change root jail at our Slug : ChrootJailForSFTP
A security story
Note: It is worth ensuring your internet connection is secured with SSH and also that you are limiting it to key access only. I had only exposed SSH through my firewall for a few hours when I notices scans like this in my /var/log/messages file:
<38>Jan 31 11:19:31 sshd: Did not receive identification string from 220.127.116.11
Installing DenyHosts (http://denyhosts.sourceforge.net/) or another program with similar functionality will help stop this.
edit by CR: it also helps to change the port on which your SSH is listenig - scripts often just look for the default port 22. my slug is listening on 443 (forwarded by router) and I haven't got any login attempts since I changed the port :)
view · edit · print · history · Last edited by DYamaki.
Based on work by DYamaki, Pistol, Kmoerman, CR, Carl, Fred, glynd, Andy, -DC-, fcarolo, HN, morrijr, Dave Lane, Andreas, david, vatachino, Peter, MattMcNeill, drdave, rickb, marty_k71, Lunar_Lamp, ultranewbie ruby, metamind, lxs4ever, jcc, JonMikelV, mordak, thx1011, Sharth, tman, junk at nwxg dot com, don lubinski, prikryl, Jochen Schoenfeld, KGP, barrym, paulhar, ByronT, and dyoung.
Originally by MattMcNeill.
Page last modified on February 01, 2009, at 12:37 AM