Posts Tagged ‘ssh’
A server I helped to setup recently has its OS re-installed, and I
know that because I can no longer log onto it. I used to have an
ssh-tunneling account set up on that server too for people who need to
reach outside a certain great firewall, and it’s also gone with the
revamp–my father being one of the users. So I decided to add an
ssh-tunneling account to my router (with dd-wrt)
What I need is the public key of whoever is going to use it, in this
case my father’s–alternatively I can also make a pair of
private/public keys and distribute the private key to the target
users, but that kind of defies the purpose of a “private” key.
All I need to do is to put the following snippet into my router’s
startup script, which can be modified from the web interface of
administration -> commands.
The code goes as
mkdir -p /tmp/tunnel/.ssh
# somehow, /bin/false doesn't work
echo "tunnel:*:401:10:User,,,:/tmp/tunnel:/bin/sh" >> /tmp/etc/passwd
echo "public-key-content" >> /tmp/tunnel/.ssh/authorized_keys
public-key-content with the content of a
desired public key (or several).
And the last thing is to ask the end user to log onto your server once
in case the server’s key fingerprint is not yet in
Now conjure up the magical
ssh -Nf -D9999
I’ve been using gentoo’s net-misc/keychain for a while now for password-less ssh. I followed gentoo doc’s recommendation and added to my ~/.zlogin the following lines:
keychain id_rsa id_rsa_nopass --quiet source ~/.keychain/$HOST-sh
The only beef I’m having with this setup is that after each reboot, I have to type in both my password (for login) and the keyphrase of my ssh identity file (b/c keychain), which is kind of repetitive, if you know what I mean ;)
So there’s a little “aha!” moment when I found pam_ssh in today’s updates on gentoo-portage. In fact, it’s as simple as adding ssh into the USE flags of sys-auth/pambase and emerge -1 pambase. No more repetitive password entries!
After half day’s work, my dad and I successfully revived a 7-year-old Toshiba Satellite 3000 S353 laptop, and he happily confiscated it as his travelling laptop. However, in considering that most online banks in China still require some IE activeX controls, he insisted that I replace the ArchLinux in it with WinXP, and since he has grown accustomed to the ssh tunnelling between his desktop and mine for him to browse all those news sites blocked by the GFW, he asked if I can do the same thing on the new windows.
So here’s the thing. We’ll need a cygwin environment, in particular its openssh, psmisc, run and any POSIX compliant shell (e.g., ash). Suppose the cygwin environment is installed in d:\cygwin, create ssh-proxy.bat batch script as follows:
REM ssh-proxy.bat REM this will create a socks5 proxy at localhost:9999 REM @echo off d: cd cygwin\bin REM give remote server two sec to close an already-open connection killall ssh && sleep 2 REM use explicit invocation: REM run /bin/ssh -Nf -D9999 email@example.com REM or a `tunnel' profile in ~/.ssh/config: run /bin/ssh -Nf tunnel
and if you opt to use the ssh profile `tunnel’, put the following in ~/.ssh/config (windows absolute path d:\cygwin\home\USER\.ssh\config):
# ~/.ssh/config Host tunnel HostName your.ssh.server User user_name Compression yes DynamicForward 9999 # use pub-key auth for password-less connection. cf. SSH_CONFIG(5) #IdentityFile ~/.ssh/some_private_id_file
Now for each internet session, just run ssh-proxy.bat once when you need the proxy. The run command used in the batch script prevents the ssh command from creating a console window. It’s almost transparent for web browsing if you combine it with foxyproxy and Firefox.
As an afterthought, I probably could have done it with putty and AHK, suppose AHK can hide the putty window, but that’d take me sometime to learn the AHK syntax.