tech log on gentoo, linux, and random stuff

adding an ssh tunneling account to dd-wrt

with 2 comments

A server I helped to setup recently has its OS re-installed, and I
know that because I can no longer log onto it. I used to have an
ssh-tunneling account set up on that server too for people who need to
reach outside a certain great firewall, and it’s also gone with the
revamp–my father being one of the users. So I decided to add an
ssh-tunneling account to my router (with dd-wrt)

What I need is the public key of whoever is going to use it, in this
case my father’s–alternatively I can also make a pair of
private/public keys and distribute the private key to the target
users, but that kind of defies the purpose of a “private” key.

All I need to do is to put the following snippet into my router’s
startup script, which can be modified from the web interface of
dd-wrt: administration -> commands.

The code goes as

mkdir -p /tmp/tunnel/.ssh
# somehow, /bin/false doesn't work
echo "tunnel:*:401:10:User,,,:/tmp/tunnel:/bin/sh" >> /tmp/etc/passwd
echo "public-key-content" >> /tmp/tunnel/.ssh/authorized_keys

and replace public-key-content with the content of a
desired public key (or several).

And the last thing is to ask the end user to log onto your server once
in case the server’s key fingerprint is not yet in
his/her ~/.ssh/known_hosts

Now conjure up the magical ssh -Nf -D9999

Written by zsh

August 9, 2010 at 5:30 pm

Posted in no cat is good cat

Tagged with ,

2 Responses

Subscribe to comments with RSS.

  1. What access would such an account have? Would it be ‘read-only’ as far as router settings go? I’d like to add a user with access to a limited functionality of sending a WOL packet and nothing more.


    March 13, 2014 at 11:16 am

    • I’m not sure. I’m not familiar with permission management on dd-wrt. I already forgot why I had chosen 401 and 10 as uid and gid. By default dd-wrt has both set to 0 for ‘root’. As far as I can tell the tunnel user can’t do anything to the file system other than reading. Presumably non-root users are fairly restricted regarding what they can do on the router.


      March 14, 2014 at 1:18 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: