z·eeki·sh

tech log on gentoo, linux, and random stuff

Posts Tagged ‘ssh

adding an ssh tunneling account to dd-wrt

with 2 comments

A server I helped to setup recently has its OS re-installed, and I
know that because I can no longer log onto it. I used to have an
ssh-tunneling account set up on that server too for people who need to
reach outside a certain great firewall, and it’s also gone with the
revamp–my father being one of the users. So I decided to add an
ssh-tunneling account to my router (with dd-wrt)

What I need is the public key of whoever is going to use it, in this
case my father’s–alternatively I can also make a pair of
private/public keys and distribute the private key to the target
users, but that kind of defies the purpose of a “private” key.

All I need to do is to put the following snippet into my router’s
startup script, which can be modified from the web interface of
dd-wrt: administration -> commands.

The code goes as

mkdir -p /tmp/tunnel/.ssh
# somehow, /bin/false doesn't work
echo "tunnel:*:401:10:User,,,:/tmp/tunnel:/bin/sh" >> /tmp/etc/passwd
echo "public-key-content" >> /tmp/tunnel/.ssh/authorized_keys

and replace public-key-content with the content of a
desired public key (or several).

And the last thing is to ask the end user to log onto your server once
in case the server’s key fingerprint is not yet in
his/her ~/.ssh/known_hosts

Now conjure up the magical ssh -Nf -D9999

Written by zsh

August 9, 2010 at 5:30 pm

Posted in no cat is good cat

Tagged with ,

sys-auth/pam_ssh and net-misc/keychain

with one comment

I’ve been using gentoo’s net-misc/keychain for a while now for password-less ssh. I followed gentoo doc’s recommendation and added to my ~/.zlogin the following lines:

  
keychain id_rsa id_rsa_nopass --quiet source ~/.keychain/$HOST-sh

The only beef I’m having with this setup is that after each reboot, I have to type in both my password (for login) and the keyphrase of my ssh identity file (b/c keychain), which is kind of repetitive, if you know what I mean ;)

So there’s a little “aha!” moment when I found pam_ssh in today’s updates on gentoo-portage. In fact, it’s as simple as adding ssh into the USE flags of sys-auth/pambase and emerge -1 pambase. No more repetitive password entries!

Written by zsh

July 27, 2009 at 10:40 pm

Posted in /etc, gentoo

Tagged with , ,

create socks5 proxy using window-less openssh from cygwin

leave a comment »

After half day’s work, my dad and I successfully revived a 7-year-old Toshiba Satellite 3000 S353 laptop, and he happily confiscated it as his travelling laptop. However, in considering that most online banks in China still require some IE activeX controls, he insisted that I replace the ArchLinux in it with WinXP, and since he has grown accustomed to the ssh tunnelling between his desktop and mine for him to browse all those news sites blocked by the GFW, he asked if I can do the same thing on the new windows.

So here’s the thing. We’ll need a cygwin environment, in particular its openssh, psmisc, run and any POSIX compliant shell (e.g., ash). Suppose the cygwin environment is installed in d:\cygwin, create ssh-proxy.bat batch script as follows:

    REM ssh-proxy.bat
    REM this will create a socks5 proxy at localhost:9999
    REM @echo off

    d:
    cd cygwin\bin

    REM give remote server two sec to close an already-open connection
    killall ssh && sleep 2

    REM use explicit invocation:
    REM run /bin/ssh -Nf -D9999 user_name@your.ssh.server
    REM or a `tunnel' profile in ~/.ssh/config:
    run /bin/ssh -Nf tunnel
  

and if you opt to use the ssh profile `tunnel’, put the following in ~/.ssh/config (windows absolute path d:\cygwin\home\USER\.ssh\config):

    # ~/.ssh/config
    Host tunnel
    HostName your.ssh.server
    User user_name
    Compression yes
    DynamicForward 9999
    # use pub-key auth for password-less connection. cf. SSH_CONFIG(5)
    #IdentityFile ~/.ssh/some_private_id_file
  

Now for each internet session, just run ssh-proxy.bat once when you need the proxy. The run command used in the batch script prevents the ssh command from creating a console window. It’s almost transparent for web browsing if you combine it with foxyproxy and Firefox.

As an afterthought, I probably could have done it with putty and AHK, suppose AHK can hide the putty window, but that’d take me sometime to learn the AHK syntax.

Written by zsh

July 7, 2009 at 1:01 am