Since I’m playing with OpenWRT on my home router I thought that I have to find a way to use it as an SSH tunnel. I could only log in with the root account and I didn’t want to use that. I wanted to use a different account, so that in case of compromise it wouldn’t bring any damage to my system.
The way to do this is by creating a new user on the OpenWRT box that will have its shell in /bin/false, which will deny access to the user but will still enable tunneling functionality. And of course, logging in will be done using ssh keys.
Create a new user and everything related
Normally, we can add a user using the “useradd” command. It didn’t work for my OpenWRT box so I had to do everything that “useradd” does, but manually.
The new user will be called “tunnelbuddy”, part of the “tunnelbuddy” group, with a home directory in “/home/tunnelbuddy” and will have the default shell in “/bin/false.
Add a new entry to /etc/passwd
echo “tunnelbuddy:*:1000:1000:tunnelbuddy:/home/tunnelbuddy:/bin/false” >> /etc/passwd
Add a new entry in /etc/group
echo “tunnelbuddy:x:1000:”
Create the home folder (optional) – this is not really needed for SSH tunneling but I wanted to have there for other purposes
mkdir -p /home/tunnelbuddy
Add the /bin/false shell to /etc/shells
echo “/bin/false” >> /etc/shells
Add the public key to server – copy your key to the OpenWRT box and run:
echo $(cat ~/.ssh/id_rsa.pub) >>/etc/dropbear/authorized_keys;chmod 0600 /etc/dropbear/authorized_keys
Everything is setup on the OpenWRT router. Now run the SSH tunnel command from your PC to the router:
ssh -ND localhost:1080 user@remotehost
Now, you have established an SSH tunnel to your OpenWRT box on port 1080. To try it, use port 1080 as a socks5 proxy in your browser.
In case of problems:
On the client run the SSH command with an increased level of verbosity (add a “v” to the ssh parameters) – ssh -vND localhost:1080 user@remotehost . This will give an idea of whats actually happening in the back.
On the OpenWRT box check out the logs using “logread”.
References
- http://unixhelp.ed.ac.uk/CGI/man-cgi?ssh+1
- http://wiki.openwrt.org/doc/howto/dropbear.public-key.auth
- http://www.cyberciti.biz/faq/linux-binfalse-vs-sbinnologin-deny-login/