Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.
In short, SSH allows you to connect to your board from a remote PC using a secured/encrypted Ethernet connection.
We use the lightweight Dropbear SSH server. To install it on your rootfs, launch Buildroot configuration:
$ make menuconfig
Package Selection for the target ---> [*] Networking ---> [*] dropbear
Then rebuild your system and reflash your board.
- If you have reflashed your rootfs with dropbear installed, then at first startup it should generates your private and public keys:
Generating RSA Key... Will output 1024 bit rsa secret key to '/etc/dropbear/dropbear_rsa_host_key' Generating key, this may take a while... Public key portion is: ssh-rsa ........ Fingerprint: md5 82:a2:a3:65:8c:e4:2b:ec:35:27:03:23:2c:f8:91:e9 Generating DSS Key... Will output 1024 bit dss secret key to '/etc/dropbear/dropbear_dss_host_key' Generating key, this may take a while... Public key portion is: ssh-dss ........ Fingerprint: md5 43:4d:e6:52:df:6b:1f:c3:93:e9:49:e3:92:e7:a1:b2 Starting dropbear sshd:
Connection with password
- Be sure to have setup a root password on your board. If not then:
# passwd Changing password for root Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. Enter new password: ***** Re-enter new password: ****** Password changed.
- To test your SSH connection, then on your PC launch (replace 192.168.0.3 with your board IP):
[armadeus] $ ssh firstname.lastname@example.org The authenticity of host '192.168.0.3 (192.168.0.3)' can't be established. RSA key fingerprint is 82:a2:a3:65:8c:e4:2b:xx:xx:xx:xx:xx:2c:f8:91:e9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.3' (RSA) to the list of known hosts.
email@example.com's password: BusyBox v1.2.2 (2007.06.25-15:53+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. #
Connection with public/private key
You can also connect to your system without needing a password. You only have to let the system know your host's public SSH key.
- First, in directory /root, on your system, if you don't have a directory .ssh, create it:
# mkdir /root/.ssh
- Then you must give it the correct rights:
# chmod 750 /root/.ssh
- Now, if not already existing, create the file authorized_keys in /root/.ssh:
# touch /root/.ssh/authorized_keys
- Edit the file authorized_keys (with nano for instance) and copy-paste in it your host computer's public key contained in the file ~/.ssh/id_dsa.pub.
- You can test your SSH connection by running the following command on your host PC (replace 192.168.0.3 with your board IP):
$ ssh firstname.lastname@example.org The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established. RSA key fingerprint is 7c:4b:e4:9c:6d:ea:6d:ca:ed:36:39:26:91:f9:82:30. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.10' (RSA) to the list of known hosts.
OpenSSH is a tool that allows securized communications between two computers. It can be used to create a securized tunnel between two ports of the connected computers. All datas that go through this tunnel are encrypted.
Host PC (Ubuntu)
- First you have to install telnetd to accept telnet connection from target and Wireshark, a network scanning tool, to check the data encryption :
$ sudo apt-get install telnetd $ sudo apt-get install xinetd $ sudo /etc/init.d/xinetd restart $ sudo apt-get install wireshark
- Then install OpenSSH server if necessary :
$ sudo apt-get install openssh-server openssl
- You now have to configure your OpenSSH server to accept connections from the securized port you will use to mask the real host port over SSH connection.
To do that, you have to add the port to the file /etc/ssh/sshd_config. For instance, we choose the port 32490:
# Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 Port 32490 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes
The OpenSSH and OpenSSL packages must be selected in Buildroot (if not done by default).
- First launch the Buildroot menu configuration:
$ make menuconfig
- Then select the packages:
Package Selection for the target ---> [*] Networking ---> [*] openssh [*] Library --> Crypto --> -*- openssl [*] openssl binary [ ] openssl additional engines
- And compile your Buildroot with the command:
Create SSH tunnel
- On the target, run the following command to create the tunnel between the two machines:
# ssh -fN -L $TARGET_PORT:localhost:$HOST_PORT -C $USERNAME@$HOSTNAME -p $VIRTUALPORT
Enter then the password to connect to your host.
- For instance, if you want to securize the Telnet port 23 toward the address email@example.com with the virtual port 32490:
# ssh -fN -L 23:localhost:23 -C firstname.lastname@example.org -p 32490 email@example.com's password: #
Test the tunnel
- To check that datas are correctly encrypted through the tunnel, launch Wireshark on your host PC and put a capture filter on your host address:
$ sudo wireshark
- If you have securized a Telnet port, you can try to establish a connection between the system and your host with Telnet.
Run the following command on your system:
# telnet localhost Entering character mode Escape character is '^]'. Ubuntu 9.10 laptop-jeremie-ubuntu login: Password: Last login: Tue Dec 21 15:01:50 CET 2010 from localhost on pts/6 Linux laptop-jeremie-ubuntu 2.6.31-20-generic-pae #58-Ubuntu SMP Fri Mar 12 06:25:51 UTC 2010 i686 To access official Ubuntu documentation, please visit: http://help.ubuntu.com/
You have to connect to localhost because SSH will automatically redirect it to the address you specified when creating the tunnel.
- When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the TCP protocol and crypted datas.