Ssh tips and tricks, part 2
The next trick I am going to show is how to build a localforward tunnel with ssh.
To be clear, the machines that I am using in my guides are example servers for this blog, so you should set up your own test servers to play around with. Check wikipedia for more background info on the example.net domain.
Ok, now for the example. Imagine you have something like tomato running on your home router joffie.example.net.Imagine the router has a ssh shell enabled that allows you to log into the router from the evil Internet using ssh on, the non default, port 666. All of the other ports are filtered, including the webinterface of the router. The webinterface can be viewed only from the local network of the router. But what if you want to view it from the Internet?
One trick to bypass this problem is to build a ssh tunnel: you@internetcafe $ ssh -p 666 -L 4443:localhost:443 root@joffie.example.net. This command logs in to the server, but also uses local forwarding of the https ports to joffie.example.net’s local ports 4443 (hence the localhost!). After this command you should be able to browse to https://localhost:4443/ on the machine that you have started the ssh connection from. And voila: the management interface of the router! From the routers point of view, the traffic originates from the router self.
Some problems you might encounter here are messages like:
bq. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
And a bit more error text. These are easy to understand. From the ssh clients point of view, the localhost’s ssh key has changed. You can bypass this check by extending the above command with -o NoHostAuthenticationForLocalhost=yes.
All of this fits into a ~/.ssh/config too:
bq.
Host rtr
Hostname router.example.com
Port 666
User root
LocalForward 4443 localhost:443
NoHostAuthenticationForLocalhost yes
If you have an internal website running behind that router, you might also replace the localhost with the ip address of the internal website. Also mind that that internal server, just as your router webinterface in the first example, thinks that the traffic is coming from the router. So if you’ve given other people shell accounts on your server, you might want to check your .htaccess files to make sure that you have a required login protecting your private photo stash on that internal server!
Comments
Comment from Joffie
Time: October 19, 2007, 1:06 pm
There will come at least three more parts. 
And yes, I am using tomato too on one of my wireless WRT54G routers. The other has the Atheros chipset (version 7), so tomato won’t run on that.
Comment from BOK
Time: October 19, 2007, 12:57 pm
The “NoHostAuthenticationForLocalhost” is very useful to hear about. Any part 3 in the pipeline?
BTW - you run Tomato (too) on a WRT54?