Difference between revisions of "SSH"

From ArmadeusWiki
Jump to: navigation, search
(Usage)
(Target (APF27))
 
(16 intermediate revisions by 3 users not shown)
Line 2: Line 2:
 
In short, SSH allows you to connect to your board from a remote PC using a secured/encrypted Ethernet connection.
 
In short, SSH allows you to connect to your board from a remote PC using a secured/encrypted Ethernet connection.
  
==Installation==
+
==Dropbear==
 +
 
 +
===Setup===
 
We use the lightweight Dropbear SSH server. To install it on your rootfs, launch Buildroot configuration:
 
We use the lightweight Dropbear SSH server. To install it on your rootfs, launch Buildroot configuration:
 
<pre class="host">
 
<pre class="host">
Line 18: Line 20:
 
</pre>
 
</pre>
  
==Usage==
+
===Usage===
 
* If you have reflashed your rootfs with dropbear installed, then at first startup it should generates your private and public keys:
 
* If you have reflashed your rootfs with dropbear installed, then at first startup it should generates your private and public keys:
 
<pre class="apf">
 
<pre class="apf">
Line 37: Line 39:
 
</pre>
 
</pre>
  
* Be sure to have setup a root password on your board. '''If not then:'''
+
====Connection with password====
 +
* Be sure to have setup a [[how to set the default root password | root password]] on your board. '''If not then:'''
 
<pre class="apf">
 
<pre class="apf">
 
  # passwd
 
  # passwd
Line 63: Line 66:
 
  #
 
  #
 
</pre>
 
</pre>
 +
 +
====Connection with public/private key====
 +
You can also connect to your system without needing a password.
 +
You only have to let the system know your host's public SSH key.
 +
 +
* First, in directory ''/root'', on your system, if you don't have a directory ''.ssh'', create it:
 +
<pre class="apf">
 +
# mkdir /root/.ssh
 +
</pre>
 +
 +
* Then you must give it the correct rights:
 +
<pre class="apf">
 +
# chmod 750 /root/.ssh
 +
</pre>
 +
 +
* Now, if not already existing, create the file ''authorized_keys'' in ''/root/.ssh'':
 +
<pre class="apf">
 +
# touch /root/.ssh/authorized_keys
 +
</pre>
 +
 +
* Edit the file ''authorized_keys'' (with '''nano''' for instance) and copy-paste in it your host computer's public key contained in the file ''~/.ssh/id_dsa.pub''.
 +
 +
* You can test your SSH connection by running the following command on your host PC (replace 192.168.0.3 with your board IP):
 +
<pre class="host">
 +
$ ssh root@192.168.0.3
 +
The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established.
 +
RSA key fingerprint is 7c:4b:e4:9c:6d:ea:6d:ca:ed:36:39:26:91:f9:82:30.
 +
Are you sure you want to continue connecting (yes/no)? yes
 +
Warning: Permanently added '192.168.0.10' (RSA) to the list of known hosts.
 +
</pre>
 +
 +
==OpenSSH==
 +
 +
OpenSSH is a tool that allows securized communications between two computers. It can be used to create a securized tunnel between two ports of the connected computers. All datas that go through this tunnel are encrypted.
 +
 +
===Setup===
 +
 +
====Host PC (Ubuntu)====
 +
* First you have to install telnetd to accept telnet connection from target and Wireshark, a network scanning tool, to check the data encryption :
 +
<pre class="host">
 +
$ sudo apt-get install telnetd
 +
$ sudo apt-get install xinetd
 +
$ sudo /etc/init.d/xinetd restart
 +
$ sudo apt-get install wireshark
 +
</pre>
 +
 +
* Then install OpenSSH server if necessary :
 +
<pre class="host">
 +
$ sudo apt-get install openssh-server openssl
 +
</pre>
 +
 +
* You now have to configure your OpenSSH server to accept connections from the securized port you will use to mask the real host port over SSH connection.
 +
To do that, you have to add the port to the file ''/etc/ssh/sshd_config''.
 +
For instance, we choose the port 32490:
 +
<pre class="host">
 +
# Package generated configuration file
 +
# See the sshd(8) manpage for details
 +
 +
# What ports, IPs and protocols we listen for
 +
Port 22
 +
Port 32490
 +
# Use these options to restrict which interfaces/protocols sshd will bind to
 +
#ListenAddress ::
 +
#ListenAddress 0.0.0.0
 +
Protocol 2
 +
# HostKeys for protocol version 2
 +
HostKey /etc/ssh/ssh_host_rsa_key
 +
HostKey /etc/ssh/ssh_host_dsa_key
 +
#Privilege Separation is turned on for security
 +
UsePrivilegeSeparation yes
 +
</pre>
 +
 +
====Target (APF27)====
 +
The OpenSSH and OpenSSL packages must be selected in Buildroot (if not done by default).
 +
 +
* First launch the Buildroot menu configuration:
 +
<pre class="host">
 +
$ make menuconfig
 +
</pre>
 +
 +
* Then select the packages:
 +
<pre class="config">
 +
Package Selection for the target  --->
 +
    [*] Networking  --->
 +
        [*]  openssh
 +
    [*] Library -->
 +
        Crypto -->
 +
            -*-  openssl
 +
            [*]      openssl binary
 +
            [ ]      openssl additional engines
 +
</pre>
 +
 +
* And compile your Buildroot with the command:
 +
<pre class="host">
 +
$ make
 +
</pre>
 +
 +
===Create SSH tunnel===
 +
* On the target, run the following command to create the tunnel between the two machines:
 +
<pre class="apf">
 +
# ssh -fN -L $TARGET_PORT:localhost:$HOST_PORT -C $USERNAME@$HOSTNAME -p $VIRTUALPORT
 +
</pre>
 +
Enter then the password to connect to your host.
 +
 +
* For instance, if you want to securize the Telnet port 23 toward the address toto@192.168.0.210 with the virtual port 32490:
 +
<pre class="apf">
 +
# ssh -fN -L 23:localhost:23 -C toto@192.168.0.210 -p 32490
 +
jeremie@192.168.0.225's password:
 +
#
 +
</pre>
 +
 +
===Test the tunnel===
 +
* To check that datas are correctly encrypted through the tunnel, launch Wireshark on your host PC and put a capture filter on your host address:
 +
<pre class="host">
 +
$ sudo wireshark
 +
</pre>
 +
 +
* If you have securized a Telnet port, you can try to establish a connection between the system and your host with Telnet.
 +
Run the following command on your system:
 +
<pre class="apf">
 +
# telnet localhost
 +
 +
Entering character mode
 +
Escape character is '^]'.
 +
 +
Ubuntu 9.10
 +
laptop-jeremie-ubuntu login:
 +
 +
Password:
 +
Last login: Tue Dec 21 15:01:50 CET 2010 from localhost on pts/6
 +
Linux laptop-jeremie-ubuntu 2.6.31-20-generic-pae #58-Ubuntu SMP Fri Mar 12 06:25:51 UTC 2010 i686
 +
 +
To access official Ubuntu documentation, please visit:
 +
http://help.ubuntu.com/
 +
</pre>
 +
You have to connect to localhost because SSH will automatically redirect it to the address you specified when creating the tunnel.
 +
 +
* When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the TCP protocol and crypted datas.
 +
 +
{{Note|If you use an [[APF27 PPS]] configured board, you can use the script ''test_ssh_tunnel.sh'' to test the OpenSSH tunnel.}}
  
 
==Links==
 
==Links==
Line 68: Line 211:
 
* [http://matt.ucc.asn.au/dropbear/dropbear.html Dropbear Webpage]
 
* [http://matt.ucc.asn.au/dropbear/dropbear.html Dropbear Webpage]
 
* [[Telnet | Unsecured remote access with Telnet protocol]]
 
* [[Telnet | Unsecured remote access with Telnet protocol]]
 +
* [http://www.openssh.com/ OpenSSH Webpage]
 +
* [http://www.wireshark.org/ Wireshark Webpage]
  
 
[[Category:Network]]
 
[[Category:Network]]
 +
[[Category:Security]]

Latest revision as of 10:31, 2 April 2014

Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.
In short, SSH allows you to connect to your board from a remote PC using a secured/encrypted Ethernet connection.

Dropbear

Setup

We use the lightweight Dropbear SSH server. To install it on your rootfs, launch Buildroot configuration:

 $ make menuconfig
Package Selection for the target  --->
    [*] Networking  --->
        [*]   dropbear

Then rebuild your system and reflash your board.

 $ make

Usage

  • If you have reflashed your rootfs with dropbear installed, then at first startup it should generates your private and public keys:
 Generating RSA Key...
 Will output 1024 bit rsa secret key to '/etc/dropbear/dropbear_rsa_host_key'
 Generating key, this may take a while...
 Public key portion is:
 ssh-rsa ........
 Fingerprint: md5 82:a2:a3:65:8c:e4:2b:ec:35:27:03:23:2c:f8:91:e9
 Generating DSS Key...
 Will output 1024 bit dss secret key to '/etc/dropbear/dropbear_dss_host_key'
 Generating key, this may take a while...
 Public key portion is:
 ssh-dss 
 ........
 Fingerprint: md5 43:4d:e6:52:df:6b:1f:c3:93:e9:49:e3:92:e7:a1:b2
 Starting dropbear sshd:

Connection with password

 # passwd
 Changing password for root
 Enter the new password (minimum of 5, maximum of 8 characters)
 Please use a combination of upper and lower case letters and numbers.
 Enter new password: *****
 Re-enter new password: ******
 Password changed.
  • To test your SSH connection, then on your PC launch (replace 192.168.0.3 with your board IP):
 [armadeus] $ ssh root@192.168.0.3
 The authenticity of host '192.168.0.3 (192.168.0.3)' can't be established.
 RSA key fingerprint is 82:a2:a3:65:8c:e4:2b:xx:xx:xx:xx:xx:2c:f8:91:e9.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added '192.168.0.3' (RSA) to the list of known hosts.
 root@192.168.0.3's password:
 
 BusyBox v1.2.2 (2007.06.25-15:53+0000) Built-in shell (ash)
 Enter 'help' for a list of built-in commands.
 #

Connection with public/private key

You can also connect to your system without needing a password. You only have to let the system know your host's public SSH key.

  • First, in directory /root, on your system, if you don't have a directory .ssh, create it:
 # mkdir /root/.ssh
  • Then you must give it the correct rights:
 # chmod 750 /root/.ssh
  • Now, if not already existing, create the file authorized_keys in /root/.ssh:
 # touch /root/.ssh/authorized_keys
  • Edit the file authorized_keys (with nano for instance) and copy-paste in it your host computer's public key contained in the file ~/.ssh/id_dsa.pub.
  • You can test your SSH connection by running the following command on your host PC (replace 192.168.0.3 with your board IP):
 $ ssh root@192.168.0.3
The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established.
RSA key fingerprint is 7c:4b:e4:9c:6d:ea:6d:ca:ed:36:39:26:91:f9:82:30.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.10' (RSA) to the list of known hosts.

OpenSSH

OpenSSH is a tool that allows securized communications between two computers. It can be used to create a securized tunnel between two ports of the connected computers. All datas that go through this tunnel are encrypted.

Setup

Host PC (Ubuntu)

  • First you have to install telnetd to accept telnet connection from target and Wireshark, a network scanning tool, to check the data encryption :
 $ sudo apt-get install telnetd 
 $ sudo apt-get install xinetd
 $ sudo /etc/init.d/xinetd restart
 $ sudo apt-get install wireshark 
  • Then install OpenSSH server if necessary :
 $ sudo apt-get install openssh-server openssl
  • You now have to configure your OpenSSH server to accept connections from the securized port you will use to mask the real host port over SSH connection.

To do that, you have to add the port to the file /etc/ssh/sshd_config. For instance, we choose the port 32490:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
Port 32490
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

Target (APF27)

The OpenSSH and OpenSSL packages must be selected in Buildroot (if not done by default).

  • First launch the Buildroot menu configuration:
 $ make menuconfig
  • Then select the packages:
Package Selection for the target  --->
    [*] Networking  --->
        [*]   openssh
    [*] Library -->
        Crypto -->
            -*-   openssl
            [*]      openssl binary
            [ ]      openssl additional engines
  • And compile your Buildroot with the command:
 $ make

Create SSH tunnel

  • On the target, run the following command to create the tunnel between the two machines:
 # ssh -fN -L $TARGET_PORT:localhost:$HOST_PORT -C $USERNAME@$HOSTNAME -p $VIRTUALPORT

Enter then the password to connect to your host.

  • For instance, if you want to securize the Telnet port 23 toward the address toto@192.168.0.210 with the virtual port 32490:
 # ssh -fN -L 23:localhost:23 -C toto@192.168.0.210 -p 32490
 jeremie@192.168.0.225's password: 
 #

Test the tunnel

  • To check that datas are correctly encrypted through the tunnel, launch Wireshark on your host PC and put a capture filter on your host address:
 $ sudo wireshark
  • If you have securized a Telnet port, you can try to establish a connection between the system and your host with Telnet.

Run the following command on your system:

 # telnet localhost

 Entering character mode
 Escape character is '^]'.

 Ubuntu 9.10
 laptop-jeremie-ubuntu login: 

 Password: 
 Last login: Tue Dec 21 15:01:50 CET 2010 from localhost on pts/6
 Linux laptop-jeremie-ubuntu 2.6.31-20-generic-pae #58-Ubuntu SMP Fri Mar 12 06:25:51 UTC 2010 i686

 To access official Ubuntu documentation, please visit:
 http://help.ubuntu.com/

You have to connect to localhost because SSH will automatically redirect it to the address you specified when creating the tunnel.

  • When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the TCP protocol and crypted datas.
Note Note: If you use an APF27 PPS configured board, you can use the script test_ssh_tunnel.sh to test the OpenSSH tunnel.


Links