SSH

From ArmadeusWiki
Revision as of 14:34, 23 December 2010 by JeremieS (Talk | contribs) (Create SSH tunnel)

Jump to: navigation, search

Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.
In short, SSH allows you to connect to your board from a remote PC using a secured/encrypted Ethernet connection.

Dropbear

Setup

We use the lightweight Dropbear SSH server. To install it on your rootfs, launch Buildroot configuration:

 $ make menuconfig
Package Selection for the target  --->
    [*] Networking  --->
        [*]   dropbear

Then rebuild your system and reflash your board.

 $ make

Usage

  • If you have reflashed your rootfs with dropbear installed, then at first startup it should generates your private and public keys:
 Generating RSA Key...
 Will output 1024 bit rsa secret key to '/etc/dropbear/dropbear_rsa_host_key'
 Generating key, this may take a while...
 Public key portion is:
 ssh-rsa ........
 Fingerprint: md5 82:a2:a3:65:8c:e4:2b:ec:35:27:03:23:2c:f8:91:e9
 Generating DSS Key...
 Will output 1024 bit dss secret key to '/etc/dropbear/dropbear_dss_host_key'
 Generating key, this may take a while...
 Public key portion is:
 ssh-dss 
 ........
 Fingerprint: md5 43:4d:e6:52:df:6b:1f:c3:93:e9:49:e3:92:e7:a1:b2
 Starting dropbear sshd:
  • Be sure to have setup a root password on your board. If not then:
 # passwd
 Changing password for root
 Enter the new password (minimum of 5, maximum of 8 characters)
 Please use a combination of upper and lower case letters and numbers.
 Enter new password: *****
 Re-enter new password: ******
 Password changed.
  • To test your SSH connection, then on your PC launch (replace 192.168.0.3 with your board IP):
 [armadeus] $ ssh root@192.168.0.3
 The authenticity of host '192.168.0.3 (192.168.0.3)' can't be established.
 RSA key fingerprint is 82:a2:a3:65:8c:e4:2b:xx:xx:xx:xx:xx:2c:f8:91:e9.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added '192.168.0.3' (RSA) to the list of known hosts.
 root@192.168.0.3's password:
 
 BusyBox v1.2.2 (2007.06.25-15:53+0000) Built-in shell (ash)
 Enter 'help' for a list of built-in commands.
 #

OpenSSH

OpenSSH is a tool that allows securized communications between two computers. It can be used to create a securized tunnel between two ports of the connected computers. All datas that go through this tunnel are encrypted.

Setup

Host PC (Ubuntu)

  • First you have to install telnetd to accept telnet connection from target and Wireshark, a network scanning tool, to check the data encryption :
 $ sudo apt-get install telnetd 
 $ sudo /etc/init.d/xinetd restart
 $ sudo apt-get install wireshark 
  • Then install OpenSSH server if necessary :
 $ sudo apt-get install openssh-server openssl
  • You now have to configure your OpenSSH server to accept connections from the securized port you will use to mask the real host port over SSH connection.

To do that, you have to add the port to the file /etc/ssh/sshd_config. For instance, we choose the port 32490:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
'''Port 32490'''
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

Target (APF27)

The packages OpenSSH and OpenSSL must be compiled in Buildroot.

  • First launch the Buildroot menu configuration:
 $ make menuconfig
  • Then select the packages:
Package Selection for the target  --->
    [*] Networking  --->
        [*]   openssh
        -*-   openssl
        [*]      openssl binary
        [ ]      openssl additional engines
  • And compile your Buildroot with the command:
 $ make

Create SSH tunnel

  • On the target, run the following command to create the tunnel between the two machines:
 # ssh -fN -L ''TARGET_PORT'':localhost:''HOST_PORT'' -C ''USERNAME''@''HOSTNAME'' -p ''VIRTUALPORT''

Enter then the password to connect to your host.

  • For instance, if you want to securize the Telnet port 23 toward the address toto@192.168.0.210 with the virtual port 32490:
 # ssh -fN -L 23:localhost:23 -C toto@192.168.0.210 -p 32490
 jeremie@192.168.0.225's password: 
 #

Test the tunnel

  • To check that datas are correctly encrypted through the tunnel, launch Wireshark on your host PC and put a capture filter on your host address:
 $ sudo wireshark
  • If you have securized a Telnet port, you can try to establish a connection between the system and your host with Telnet.

Run the following command on your system:

 # telnet localhost

You have to connect to localhost because SSH will automatically redirect it to the address you specified when creating the tunnel.

  • When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the TCP protocol and crypted datas.
Note Note: If you use an APF27 PPS configured board, you can use the script test_ssh_tunnel.sh to test the OpenSSH tunnel.


Links