Hi Martin, Thanks for your reply.
On Mon, 18 Aug 2008 22:37:41 +0200 Martin Dummer <[EMAIL PROTECTED]> wrote: > Am Samstag, 16. August 2008 09:18:54 schrieb Terry Porter: > > Hi All, > > I'm using FreeWRT on a Linksys WRT54G v3.1 as a Internet facing Reverse SSH > > server and everything is working fine. > > What is a Reverse SSH server please? It may be my terminology that is the problem ? A Reverse SSH server is like a normal SSH server, but does not allow the user to do *anything* other than login on the host. It's sole purpose is to only allow logins to *other* Linux boxes via SSH tunnelling. > > > > > I plan to use it to do remote Linux admin where the client SSHs to the > > WRT54G from behind his firewall (most are adsl modem/routers) and I tunnel > > back to him from behind my firewall via the WRT54G. > > > > This sounds complicated. A drawing would say more than 1000 words! I'll try :) target_machine----->reverse_ssh_server<--------target_machine_remote_admin_machine > > > Does anyone have any tips or keywords to throw my way to improve security > > for this Internet only facing box which (will not normally have a local lan > > connection when deployed)? > > I cant see what "unpriviledged users" should do on a WRT54G - I assume you > created some user accounts? Only one account, and it's sole purpose is to allow "target_machine" and "target_machine_remote_admin_machine" a SSH tunnelling facility via the "reverse_ssh_server". > > Up to my current understanding of the situation (which is quite small..) I > would give the advice to let the "unpriviledged users" ssh sessions end on a > "big" linux box (with a complete linux distribution) and give the users a > shell in a chroot environment. Then you have complete control what the users > can do and which files they can see. You will find a lot of stuff about > chroot environments in the internet - google is your friend. Example: > http://www.howtoforge.com/chroot_ssh_sftp_debian_etch > > Cheers > Martin I think I finally have a solution, and this is what I have done:- 1) compiled "sleepershell" (http://www.mariovaldez.net/software/sleepshell/) in the FreeWRT ADK and moved the cross compiled sleepershell binary into /etc on the target, totally the wrong place for a linux binary, but the only place I can easily save in FreeWRT given my noob status with FreeWRT. 2) Created a user "rssh::1001:1001:rssh-user:/tmp:/tmp/sleepshell" Now when you log into the box, this is *all* you get, cli input does nothing :- ...............sample xterm output................ Connection: 222.253.177.162 56161 222.253.74.242 22 Client: 222.253.177.162 56161 22 Terminal: /dev/pts/1 *** .................................................... A star "*" is emitted from the reverse_ssh_server every 10 seconds, and serves as a SSH keep alive signal. The sole purpose of my reverse_ssh_server is to allow me to administrate the Linux boxes of friends and clients who are behind a firewall, where it provides a 'middle' connection point for both them and myself. I don't want a chroot, or a full blown server, I specifically wanted an embedded unit, low power, read only (mostly) and easy to rebuild/reflash if required. For this task, the WRT54G V3 and FreeWRT seem to provide the solution to my needs. See these URLs for more info on Reverse SSH:- http://www.raiden.net/?cat=2&aid=429 http://danielwebb.us/software/ssh-reverse-tunnel/ssh-reverse-tunnel.txt http://www.marksanborn.net/howto/bypass-firewall-and-nat-with-reverse-ssh-tunnel/ -- Best Regards Terry Porter _______________________________________________ freewrt-developers mailing list [email protected] https://www.freewrt.org/lists/listinfo/freewrt-developers
