SSH Tunneling in OpenWRT

Since I’m playing with OpenWRT on my home router I thought that I have to find a way to use it as an SSH tunnel. I could only log in with the root account and I didn’t want to use that. I wanted to use a different account, so that in case of compromise it wouldn’t bring any damage to my system.

The way to do this is by creating a new user on the OpenWRT box that will have its shell in /bin/false, which will deny access to the user but will still enable tunneling functionality. And of course, logging in will be done using ssh keys.

Create a new user and everything related

Normally, we can add a user using the “useradd” command. It didn’t work for my OpenWRT box so I had to do everything that “useradd” does, but manually.

The new user will be called “tunnelbuddy”, part of the “tunnelbuddy” group, with a home directory in “/home/tunnelbuddy” and will have the default shell in “/bin/false.

Add a new entry to /etc/passwd

echo “tunnelbuddy:*:1000:1000:tunnelbuddy:/home/tunnelbuddy:/bin/false” >> /etc/passwd

Add a new entry in /etc/group

echo “tunnelbuddy:x:1000:”

Create the home folder (optional) – this is not really needed for SSH tunneling but I wanted to have there for other purposes

mkdir -p /home/tunnelbuddy

Add the /bin/false shell to /etc/shells

echo “/bin/false” >> /etc/shells

Add the public key to server – copy your key to the OpenWRT box and run:

echo $(cat ~/.ssh/id_rsa.pub) >>/etc/dropbear/authorized_keys;chmod 0600 /etc/dropbear/authorized_keys

Everything is setup on the OpenWRT router. Now run the SSH tunnel command from your PC to the router:

ssh -ND localhost:1080 user@remotehost

Now, you have established an SSH tunnel to your OpenWRT box on port 1080. To try it, use port 1080 as a socks5 proxy in your browser.

In case of problems:

On the client run the SSH command with an increased level of verbosity (add a “v” to the ssh parameters) – ssh -vND localhost:1080 user@remotehost . This will give an idea of whats actually happening in the back.

On the OpenWRT box check out the logs using “logread”.

References

  • http://unixhelp.ed.ac.uk/CGI/man-cgi?ssh+1
  • http://wiki.openwrt.org/doc/howto/dropbear.public-key.auth
  • http://www.cyberciti.biz/faq/linux-binfalse-vs-sbinnologin-deny-login/
Print Friendly, PDF & Email