pembo
12-07-15, 15:24
Following is a pretty complex guide to setup SSH on your E2 box with public/private keys.
If you try this and get stuck at any point, let me know and I'll correct the below/try to help where I can.
This is not for the feint hearted and needs a bit of Linux skills/understanding. If you attempt this without understanding what you're doing, then I definitely recommend a full image backup on USB so you can restore should you get anything wrong or lock yourself out of the box.
Download putty (including puttygen) if you've not already got this
Using puttygen, press 'Generate' to create an SSH2 key pair, move the mouse as instructed, and for added security, add a key passphrase.
Save the public key
Save the private key (you might want to take the opportunity to export it to the openssh and ssh.com formats here!
Make sure you backup your private key and that it remains private - this will grant you access to your E2 box so you won't want to lose it!
Connect onto your E2 box with telnet and run the following commands
Install Nano (use of VI is beyond a lot of people :) )
opkg install nano
Create the authorized_keys file
cd ~
mkdir .ssh
cd .ssh
touch authorized_keys
nano authorized_keys
Paste in the key from the paste area of putty gen. It'll start with ssh-rsa and end with rsa-key-DATE
Press Ctrl+X to quit and save the file
Change the permissions using the following command
chmod 0600 authorized_keys
Now create a new connection to your E2 box in putty, but this time pick SSH (Not Telnet), and in the auth section point to your private key file. The remember to save the session.
connect using SSH and your private key and you should be prompted for your private key password (which can be different from the actual user password!)
Assuming this connects, then you'll want to remove password authentication via SSH and only allow certificate based authentication. To do this in your SSH session you just connected with, run the following commands
nano /etc/default/dropbear
add -s to the extra arguments, e.g.
DROPBEAR_EXTRA_ARGS="-s -B"
Press Ctrl+X and save
Restart dropbear
/etc/init.d/dropbear restart
Test your connection again - the connect with the private key should work. If you try to connect without the private key you'll get an error message.
Now we can take this a step further to allow secured external access
Forward a port in your router to the E2 box on port 22, but don't use 22 as the external port, use something such as 10100, 10101, 10102, 41001, 41002, etc, just make sure it's not a common port and something above 9999 but within the allowed range.
Once the forward is in place, you should now be able to SSH into your box externally by setting up an SSH connection with the private key on the external IP address/port. You'll need an dyn dns name or alternative if you haven't got a fixed ip to ensure you can always reach home. You might also want to configure the keepalives (under connection in putty) as if you're not using the SSH client directly (i.e. you're only using forwarded ports (next step!) it will disconnect you after a time period without these in place.
SSH has a concept of forwarding ports through its connection, therefore you can setup port forward in the SSH client to port 80, 8001 and 8002 forwarding to localhost:80, localhost:8001 and localhost:8002.
Once you've forwarded ports, as long as you are connected via SSH, you can open up a browser on the machine where you've connected from, go to http://localhost/ and you'll get to openwebif and can stream/transcode so long as you forward all the relevant ports over SSH.
Finally if you want to do this from a mobile, in android look at ConnectBot which is an SSH client with port forwarding. You can configure this to connect and forward the ports, then allowing you to use whatever streaming app you want to - you just connect to 'localhost' as you're connecting to ports forwarded via SSH, not to the external address
Note - only forward the SSH port in the router (and never use the default SSH port - 22 as the external port!). Do not forward 80,23,8001,8002 or any other port otherwise its only a matter of time before you will be hacked
If you try this and get stuck at any point, let me know and I'll correct the below/try to help where I can.
This is not for the feint hearted and needs a bit of Linux skills/understanding. If you attempt this without understanding what you're doing, then I definitely recommend a full image backup on USB so you can restore should you get anything wrong or lock yourself out of the box.
Download putty (including puttygen) if you've not already got this
Using puttygen, press 'Generate' to create an SSH2 key pair, move the mouse as instructed, and for added security, add a key passphrase.
Save the public key
Save the private key (you might want to take the opportunity to export it to the openssh and ssh.com formats here!
Make sure you backup your private key and that it remains private - this will grant you access to your E2 box so you won't want to lose it!
Connect onto your E2 box with telnet and run the following commands
Install Nano (use of VI is beyond a lot of people :) )
opkg install nano
Create the authorized_keys file
cd ~
mkdir .ssh
cd .ssh
touch authorized_keys
nano authorized_keys
Paste in the key from the paste area of putty gen. It'll start with ssh-rsa and end with rsa-key-DATE
Press Ctrl+X to quit and save the file
Change the permissions using the following command
chmod 0600 authorized_keys
Now create a new connection to your E2 box in putty, but this time pick SSH (Not Telnet), and in the auth section point to your private key file. The remember to save the session.
connect using SSH and your private key and you should be prompted for your private key password (which can be different from the actual user password!)
Assuming this connects, then you'll want to remove password authentication via SSH and only allow certificate based authentication. To do this in your SSH session you just connected with, run the following commands
nano /etc/default/dropbear
add -s to the extra arguments, e.g.
DROPBEAR_EXTRA_ARGS="-s -B"
Press Ctrl+X and save
Restart dropbear
/etc/init.d/dropbear restart
Test your connection again - the connect with the private key should work. If you try to connect without the private key you'll get an error message.
Now we can take this a step further to allow secured external access
Forward a port in your router to the E2 box on port 22, but don't use 22 as the external port, use something such as 10100, 10101, 10102, 41001, 41002, etc, just make sure it's not a common port and something above 9999 but within the allowed range.
Once the forward is in place, you should now be able to SSH into your box externally by setting up an SSH connection with the private key on the external IP address/port. You'll need an dyn dns name or alternative if you haven't got a fixed ip to ensure you can always reach home. You might also want to configure the keepalives (under connection in putty) as if you're not using the SSH client directly (i.e. you're only using forwarded ports (next step!) it will disconnect you after a time period without these in place.
SSH has a concept of forwarding ports through its connection, therefore you can setup port forward in the SSH client to port 80, 8001 and 8002 forwarding to localhost:80, localhost:8001 and localhost:8002.
Once you've forwarded ports, as long as you are connected via SSH, you can open up a browser on the machine where you've connected from, go to http://localhost/ and you'll get to openwebif and can stream/transcode so long as you forward all the relevant ports over SSH.
Finally if you want to do this from a mobile, in android look at ConnectBot which is an SSH client with port forwarding. You can configure this to connect and forward the ports, then allowing you to use whatever streaming app you want to - you just connect to 'localhost' as you're connecting to ports forwarded via SSH, not to the external address
Note - only forward the SSH port in the router (and never use the default SSH port - 22 as the external port!). Do not forward 80,23,8001,8002 or any other port otherwise its only a matter of time before you will be hacked