workstation> ssh -R3142:proxy:3142 server
server> ssh -R3142:127.0.0.1:3142 server_behind
server_behind> cat /etc/apt/apt.conf.d/01proxy
Acquire::http { Proxy "http://localhost:3142"; }
server_behind> apt-get update; apt-get upgrade
[ view entry ] ( 1128 views ) | print article
I need a ssh login for restricted portforward but without a shell for the user.
This got realized with /etc/ssh/sshd_config:
...
Subsystem sftp internal-sftp
Match user USER
PasswordAuthentication yes
AllowAgentForwarding no
X11Forwarding no
ForceCommand internal-sftp
PermitOpen localhost:22
ChrootDirectory /home/USER
"PermitOpen"restricts portforward to localhost:22 (remote port forward is not restricted)
But if the client needs a login shell this failes.
Well you could tell the client to not use a login shell:
ssh -N -L2222:IP:22 USER@SERVER
putty: SSH / Protocol Option enable "Don't start a shell or command at all"
or use an own loginshell where the user can only press return to disconnect:
/etc/ssh/sshd_config:
...
Subsystem sftp internal-sftp
Match user USER
PasswordAuthentication yes
AllowAgentForwarding no
X11Forwarding no
PermitOpen 127.0.0.1:2222
ChrootDirectory /home/USER
sudo touch /home/USER/.hushlogin
sudo cp own_loginshell /home/USER/
/etc/passwd:USER:x:ID:ID::/:/own_loginshell
own_loginshell.c:
/*
simple program to print to stdout and read from stdin without libc
taken from http://crazychenz.com/archives/107
(http://stackoverflow.com/questions/2548486/compiling-without-libc)
modified 2011 by Peter Holik (peter@holik.at)
gcc -nostdlib -nostartfiles -fno-builtin own_loginshell.c -o own_loginshell
*/
/* Types - I've defined these just to match the kernel's macros, typedefs, and structs */
typedef unsigned int size_t;
/* Syscalls */
exit(int error_code) {
/* The asm call is a GCC thing that allows us to put assembly
* inline with our C code. This particular use is the extended version,
* which provides a very clean and easy way to map variables in
* our code with registers in the assembly code.
*/
asm("int $0x80"
: // no output registers
: "a" (1), "b" (error_code)
);
}
size_t read(unsigned int fd, char * buf, size_t count) {
size_t ret;
/* In this call, we have a return value, which know will be
* of type size_t, so we put the value of %eax into ret.
*/
asm("int $0x80"
: "=a" (ret)
: "a" (3), "b" (fd), "c" (buf), "d" (count)
);
return ret;
}
size_t write(unsigned int fd, const char * buf, size_t count) {
size_t ret;
asm("int $0x80"
: "=a" (ret)
: "a" (4), "b" (fd), "c" (buf), "d" (count)
);
return ret;
}
/* Notice that there is no main in this code, that is because
* main is not _really_ required. All that is _really_ required
* is the entry point for Linux to execute. I'd suggest
* always using a main() for compatibility reasons.
*/
void _start() {
char *buf = "press enter to close connection";
write(1, buf, 31);
read(0, buf, 1);
exit(0);
}
[ view entry ] ( 3012 views ) | print article
Server
needed packages: mgetty, pppd
start and stop mgetty on plugin of usbmodem (0572:1329 Conexant Systems (Rockwell), Inc.)
/etc/init/mgetty.conf
# mgetty - dialin daemon
description "mgetty daemon"
start on tty-device-added KERNEL=ttyACM0
stop on tty-device-removed KERNEL=ttyACM0
respawn
exec /sbin/mgetty -s 115200 -D /dev/ttyACM0
/etc/mgetty/login.config
/AutoPPP/ - a_ppp /usr/sbin/pppd auth +chap -pap name dialinserver remotename dialer debug
I use chap instead of pap because of plain password used by pap.
/etc/ppp/chap-secrets
dialer dialinserver password *
/etc/ppp/options.ttyACM0
10.0.0.1:10.0.0.2
Client
needed packages: pppd
/etc/ppp/peers/dialinserver
noauth
connect "/usr/sbin/chat -v -f /etc/chatscripts/dialinserver"
debug
/dev/ttyS0
115200
defaultroute
noipdefault
name dialer
remotename dialinserver
/etc/chatscripts/dialinserver
ABORT BUSY ABORT 'NO CARRIER' ABORT VOICE ABORT 'NO DIALTONE' ABORT 'NO DIAL TONE'
ABORT 'NO ANSWER' ABORT DELAYED
'' ATZ
OK-AT-OK "ATDTnumber"
CONNECT \d\c
/etc/ppp/chap-secrets
dialer dialinserver password *
Connect with "pon dialinserver" and disconnect with "poff dialinserver"
[ view entry ] ( 1060 views ) | print article
Many things changed for bluez4. Now everything is made through dbus commands.
apt-get install bluetooth bluez (on server and client)
First check for bdaddr on server and client:
Server:> hcitool dev
Devices:
hci0 00:01:1A:63:49:33
Client:> hcitool dev
Devices:
hci0 00:02:6E:53:42:78
Pairing:
Server:> /usr/share/doc/bluez/examples/test-adapter discoverable on
Server:> /usr/share/doc/bluez/examples/simple-agent
Client:> /usr/share/doc/bluez/examples/simple-agent 00:02:6E:53:42:78 00:01:1A:63:49:33
Hint: On newer systems use /usr/bin/bluez-test-adapter, /usr/bin/bluez-simple-agent and bluez-test-network
On Server:
Agent registered
RequestPinCode (/org/bluez/25897/hci0/dev_00_02_6E_53_42_78)
Enter PIN Code: 1234
(keep simple-agent running)
On Client:
RequestPinCode (/org/bluez/4078/hci0/dev_00_01_1A_63_49_33)
Enter PIN Code: 1234
Release
New device (/org/bluez/4078/hci0/dev_00_01_1A_63_49_33)
Pairing keys are stored hashed in /var/lib/bluetooth/<local bdaddr>/linkkeys
Network:
--- /usr/share/doc/bluez/examples/test-networkClient:> /usr/share/doc/bluez/examples/test-network.sh 00:01:1A:63:49:33
+++ /usr/share/doc/bluez/examples/test-network.sh
@@ -35,9 +35,10 @@
print "Press CTRL-C to disconnect"
try:
- time.sleep(1000)
- print "Terminating connection"
+ while 1:
+ time.sleep(1000)
except:
pass
+print "Terminating connection"
network.Disconnect()
(keep test-network running)
On Server:
Authorize (/org/bluez/25897/hci0/dev_00_02_6E_53_42_78, 0000000f-0000-1000-8000-00803f9b24fa)
Authorize connection (yes/no): yes
Now you can stop simple-agent.
Server:> ifconfig ifconfig bnep0 192.168.0.1 netmask 255.255.255.0 up
Client:> ifconfig ifconfig bnep0 192.168.0.2 netmask 255.255.255.0 up
Now you can ping each other.
To avoid start simple-agent on server for connection authorisation each time you can trust the client with:
Server:> /usr/share/doc/bluez/examples/test-device trusted 00:01:1A:63:49:33 on
Automatisation:
On my server i'm running a bridged network with dhcp support, therefore i use udev to add bnep to my bridge:
/etc/udev/rules.d/local.rules:
ACTION=="add", SUBSYSTEM=="net", KERNEL=="bnep?*", PROGRAM="/usr/sbin/brctl addif br0 %k"
Client:
/etc/udev/rules.d/local.rules:
ACTION=="add", SUBSYSTEM=="net", KERNEL=="bnep?*", PROGRAM="/sbin/dhclient -nw -pf /var/run/dhclient-%k.pid %k"
ACTION=="remove", SUBSYSTEM=="net", KERNEL=="bnep?*", PROGRAM="/usr/bin/pkill -9 dhclient"
maybe you need to reload udev!
On clientside you only have to keep running
/usr/share/doc/bluez/examples/test-network.sh 00:01:1A:63:49:33
Usually this should be done by networkmanager but this is not supported (now)
[ view entry ] ( 2656 views ) | print article
Iodine server with public IP:
#> apt-get install iodine
For "good" connection i used a mtu of 256 through my provider DNS.
On local network no mtu change was necessary.
/etc/default/iodine
START_IODINED="true"#> sysctl -e net.ipv4.ip_forward=1
IODINED_ARGS="-m 256 -l IODINE_SERVER_IP 10.0.0.1 tunnel.DOMAIN"
IODINED_PASSWORD="mypassword"
#> iptables -t nat -A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth0 -j MASQUERADE
Bind9 server:
zonesfile:
zone "DOMAIN" in {zonefile:
type master;
file "/etc/bind/zones/DOMAIN";
allow-query { any; };
};
zone "tunnel.DOMAIN" in {
type forward;
forward only;
forwarders {
IODINE_SERVER_IP;
};
};
tunnel 1D IN NS tunnelhost
tunnelhost 1D IN A IODINE_SERVER_IP
Client:
#> apt-get install iodine
#> iodine -m 256 -P mypassword tunnel.DOMAIN
#> route add default gw 10.0.0.1
Well it seams that my provider drop's packets with some payload in it:
#> ping -c1 -s 109 10.0.0.1 fails
but
#> ping -c1 -s 109 -p ff 10.0.0.1 succeeds
[ view entry ] ( 1462 views ) | print article
<<First <Back | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next> Last>>