SSH

2011-01-07T13:30:42Z

JeremieS: Connection with public/private key

Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. 
In short, SSH allows you to connect to your board from a remote PC using a secured/encrypted Ethernet connection.

==Dropbear==

===Setup===
We use the lightweight Dropbear SSH server. To install it on your rootfs, launch Buildroot configuration:
<pre class="host">
$ make menuconfig
</pre>
<pre class="config">
Package Selection for the target --->
[*] Networking --->
[*] dropbear
</pre>

Then rebuild your system and reflash your board.
<pre class="host">
$ make
</pre>

===Usage===
* If you have reflashed your rootfs with dropbear installed, then at first startup it should generates your private and public keys:
<pre class="apf">
Generating RSA Key...
Will output 1024 bit rsa secret key to '/etc/dropbear/dropbear_rsa_host_key'
Generating key, this may take a while...
Public key portion is:
ssh-rsa ........
Fingerprint: md5 82:a2:a3:65:8c:e4:2b:ec:35:27:03:23:2c:f8:91:e9
Generating DSS Key...
Will output 1024 bit dss secret key to '/etc/dropbear/dropbear_dss_host_key'
Generating key, this may take a while...
Public key portion is:
ssh-dss
........
Fingerprint: md5 43:4d:e6:52:df:6b:1f:c3:93:e9:49:e3:92:e7:a1:b2
Starting dropbear sshd:
</pre>

====Connection with password====
* Be sure to have setup a root password on your board. '''If not then:'''
<pre class="apf">
# passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password: *****
Re-enter new password: ******
Password changed.
</pre>

* To test your SSH connection, then on your PC launch (replace 192.168.0.3 with your board IP):
<pre class="host">
[armadeus] $ ssh root@192.168.0.3
The authenticity of host '192.168.0.3 (192.168.0.3)' can't be established.
RSA key fingerprint is 82:a2:a3:65:8c:e4:2b:xx:xx:xx:xx:xx:2c:f8:91:e9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.3' (RSA) to the list of known hosts.
</pre>
<pre class="apf">
root@192.168.0.3's password:

BusyBox v1.2.2 (2007.06.25-15:53+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
</pre>

====Connection with public/private key====
You can also connect to your system without needing a password.
You only have to let the system know your host's public SSH key.

* First, in directory ''/root'', on your system, if you don't have a directory ''.ssh'', create it:
<pre class="apf">
# mkdir /root/.ssh
</pre>

* Then you must give it the correct rights:
<pre class="apf">
# chmod 750 /root/.ssh
</pre>

* Now, if not already existing, create the file ''authorized_keys'' in ''/root/.ssh'':
<pre class="apf">
# touch /root/.ssh/authorized_keys
</pre>

* Edit the file ''authorized_keys'' (with '''nano''' for instance) and copy-paste in it your host computer's public key contained in the file ''~/.ssh/id_dsa.pub''.

* You can test your SSH connection by running the following command on your host PC (replace 192.168.0.3 with your board IP):
<pre class="host">
$ ssh root@192.168.0.3
The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established.
RSA key fingerprint is 7c:4b:e4:9c:6d:ea:6d:ca:ed:36:39:26:91:f9:82:30.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.10' (RSA) to the list of known hosts.
</pre>

==OpenSSH==

OpenSSH is a tool that allows securized communications between two computers. It can be used to create a securized tunnel between two ports of the connected computers. All datas that go through this tunnel are encrypted.

===Setup===

====Host PC (Ubuntu)====
* First you have to install telnetd to accept telnet connection from target and Wireshark, a network scanning tool, to check the data encryption :
<pre class="host">
$ sudo apt-get install telnetd
$ sudo /etc/init.d/xinetd restart
$ sudo apt-get install wireshark
</pre>

* Then install OpenSSH server if necessary :
<pre class="host">
$ sudo apt-get install openssh-server openssl
</pre>

* You now have to configure your OpenSSH server to accept connections from the securized port you will use to mask the real host port over SSH connection.
To do that, you have to add the port to the file ''/etc/ssh/sshd_config''.
For instance, we choose the port 32490:
<pre class="host">
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
'''Port 32490'''
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
</pre>

====Target (APF27)====
The OpenSSH and OpenSSL packages must be selected in Buildroot (if not done by default).

* First launch the Buildroot menu configuration:
<pre class="host">
$ make menuconfig
</pre>

* Then select the packages:
<pre class="config">
Package Selection for the target --->
[*] Networking --->
[*] openssh
-*- openssl
[*] openssl binary
[ ] openssl additional engines
</pre>

* And compile your Buildroot with the command:
<pre class="host">
$ make
</pre>

===Create SSH tunnel===
* On the target, run the following command to create the tunnel between the two machines:
<pre class="apf">
# ssh -fN -L $TARGET_PORT:localhost:$HOST_PORT -C $USERNAME@$HOSTNAME -p $VIRTUALPORT
</pre>
Enter then the password to connect to your host.

* For instance, if you want to securize the Telnet port 23 toward the address toto@192.168.0.210 with the virtual port 32490:
<pre class="apf">
# ssh -fN -L 23:localhost:23 -C toto@192.168.0.210 -p 32490
jeremie@192.168.0.225's password:
#
</pre>

===Test the tunnel===
* To check that datas are correctly encrypted through the tunnel, launch Wireshark on your host PC and put a capture filter on your host address:
<pre class="host">
$ sudo wireshark
</pre>

* If you have securized a Telnet port, you can try to establish a connection between the system and your host with Telnet.
Run the following command on your system:
<pre class="apf">
# telnet localhost

Entering character mode
Escape character is '^]'.

Ubuntu 9.10
laptop-jeremie-ubuntu login:

Password:
Last login: Tue Dec 21 15:01:50 CET 2010 from localhost on pts/6
Linux laptop-jeremie-ubuntu 2.6.31-20-generic-pae #58-Ubuntu SMP Fri Mar 12 06:25:51 UTC 2010 i686

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
</pre>
You have to connect to localhost because SSH will automatically redirect it to the address you specified when creating the tunnel.

* When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the TCP protocol and crypted datas.

{{Note|If you use an [[APF27 PPS]] configured board, you can use the script ''test_ssh_tunnel.sh'' to test the OpenSSH tunnel.}}

==Links==
* http://en.wikipedia.org/wiki/Secure_shell
* [http://matt.ucc.asn.au/dropbear/dropbear.html Dropbear Webpage]
* [[Telnet | Unsecured remote access with Telnet protocol]]
* [http://www.openssh.com/ OpenSSH Webpage]
* [http://www.wireshark.org/ Wireshark Webpage]

[[Category:Network]]
[[Category:Security]]

APF27 PPS

2011-01-07T13:10:36Z

JeremieS: /* SSH terminal */

2010-12-22T16:50:00Z

JeremieS: /* Target (Buildroot) */

Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary. 
In short, SSH allows you to connect to your board from a remote PC using a secured/encrypted Ethernet connection.

==Dropbear==

===Setup===
We use the lightweight Dropbear SSH server. To install it on your rootfs, launch Buildroot configuration:
<pre class="host">
$ make menuconfig
</pre>
<pre class="config">
Package Selection for the target --->
[*] Networking --->
[*] dropbear
</pre>

Then rebuild your system and reflash your board.
<pre class="host">
$ make
</pre>

===Usage===
* If you have reflashed your rootfs with dropbear installed, then at first startup it should generates your private and public keys:
<pre class="apf">
Generating RSA Key...
Will output 1024 bit rsa secret key to '/etc/dropbear/dropbear_rsa_host_key'
Generating key, this may take a while...
Public key portion is:
ssh-rsa ........
Fingerprint: md5 82:a2:a3:65:8c:e4:2b:ec:35:27:03:23:2c:f8:91:e9
Generating DSS Key...
Will output 1024 bit dss secret key to '/etc/dropbear/dropbear_dss_host_key'
Generating key, this may take a while...
Public key portion is:
ssh-dss
........
Fingerprint: md5 43:4d:e6:52:df:6b:1f:c3:93:e9:49:e3:92:e7:a1:b2
Starting dropbear sshd:
</pre>

* Be sure to have setup a root password on your board. '''If not then:'''
<pre class="apf">
# passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password: *****
Re-enter new password: ******
Password changed.
</pre>

* To test your SSH connection, then on your PC launch (replace 192.168.0.3 with your board IP):
<pre class="host">
[armadeus] $ ssh root@192.168.0.3
The authenticity of host '192.168.0.3 (192.168.0.3)' can't be established.
RSA key fingerprint is 82:a2:a3:65:8c:e4:2b:xx:xx:xx:xx:xx:2c:f8:91:e9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.3' (RSA) to the list of known hosts.
</pre>
<pre class="apf">
root@192.168.0.3's password:

BusyBox v1.2.2 (2007.06.25-15:53+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
</pre>

==OpenSSH==

OpenSSH is a tool that allows securized communications between two computers. It can be used to create a securized tunnel between two ports of the connected computers. All datas that go through this tunnel are encrypted.

===Setup===

====Host PC (Ubuntu)====
* First you have to install telnetd to accept telnet connection from target and Wireshark, a network scanning tool, to check the data encryption :
<pre class="host">
$ sudo apt-get install telnetd
$ sudo /etc/init.d/xinetd restart
$ sudo apt-get install wireshark
</pre>

* Then install OpenSSH server if necessary :
<pre class="host">
$ sudo apt-get install openssh-server openssl
</pre>

* You now have to configure your OpenSSH server to accept connections from the securized port you will use to mask the real host port over SSH connection.
To do that, you have to add the port to the file ''/etc/ssh/sshd_config''.
For instance, we choose the port 32490:
<pre class="host">
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
'''Port 32490'''
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
</pre>

====Target (APF27)====
The packages OpenSSH and OpenSSL must be compiled in Buildroot.

* First launch the Buildroot menu configuration:
<pre class="host">
$ make menuconfig
</pre>

* Then select the packages:
<pre class="config">
Package Selection for the target --->
[*] Networking --->
[*] openssh
-*- openssl
[*] openssl binary
[ ] openssl additional engines
</pre>

* And compile your Buildroot with the command:
<pre class="host">
$ make
</pre>

===Create SSH tunnel===
* On the target, run the following command to create the tunnel between the two machines:
<pre class="host">
$ ssh -fN -L ''TARGET_PORT'':localhost:''HOST_PORT'' -C ''USERNAME''@''HOSTNAME'' -p ''VIRTUALPORT''
</pre>
Enter then the password to connect to your host.

* For instance, if you want to securize the Telnet port 23 toward the address toto@192.168.0.210 with the virtual port 32490:
<pre class="host">
$ ssh -fN -L 23:localhost:23 -C toto@192.168.0.210 -p 32490
</pre>

===Test the tunnel===
* To check that datas are correctly encrypted through the tunnel, launch Wireshark on your host PC and put a capture filter on your host address:
<pre class="host">
$ sudo wireshark
</pre>

* If you have securized a Telnet port, you can try to establish a connection between the system and your host with Telnet.
Run the following command on your system:
<pre class="host">
# telnet localhost
</pre>
You have to connect to localhost because SSH will automatically redirect it to the address you specified when creating the tunnel.

* When you enter the password to connect to your host, check in Wireshark that you can't see the protocol name (Telnet in our example) nor the password in the datagrams. You must only see the TCP protocol and crypted datas.

{{Note|If you use an [[APF27 PPS]] configured board, you can use the script ''test_ssh_tunnel.sh'' to test the OpenSSH tunnel.}}

==Links==
* http://en.wikipedia.org/wiki/Secure_shell
* [http://matt.ucc.asn.au/dropbear/dropbear.html Dropbear Webpage]
* [[Telnet | Unsecured remote access with Telnet protocol]]
* [http://www.openssh.com/ OpenSSH Webpage]
* [http://www.wireshark.org/ Wireshark Webpage]

[[Category:Network]]
[[Category:Security]]