Tag Archive for 'ssh'

Conectarse a la web desde una maquina Unix sin conexión directa a Internet

Published
by
alex
on Thursday September 11th, 2008
in Unix & Linux
. Comments

Trabajo administrando maquinas Unix y Linux remotas por SSH. Muy amenudo me encuentro en la situacion de necesitar bajar algun paquete rpm o deb, algun parche,… o ejecutar un software que requiere conexion a Internet para actualizarse, registrarse,… y lo tipico es que la maquina en cuestion no tenga conexion a Internet.

Quizas podria pedir el acceso a traves de un proxy corporativo o bien que la gente de redes me abra temporalmente el acceso a la web a traves del firewall, pero eso son tramites y tiempo perdido.

Sin embargo, en mi puesto de trabajo, tengo acceso por un lado a la maquina Unix por SSH y por otro lado tengo acceso a Internet a traves de la red corporativa (o con una tarjeta 3G en el CPD ;-) )(directamente o mediante proxy). Vamos a ver como montar un tunel SSH y un proxy de andar por casa para unir ambas cosas y conseguir conexion temporal a la web desde la maquina Unix!

Continue reading ‘Conectarse a la web desde una maquina Unix sin conexión directa a Internet’

ShareThis / Compartelo

How does the Fonera updates itself?

Published
by
alex
on Saturday April 28th, 2007
in Fon & La Fonera and Unix & Linux
. Comments

Let’s see how the Fonera automatically updates itself.

Enter you La Fonera (by SSH). Edit your cron jobs and you’ll see that every day your Fonera runs the following command:

<pre>root@fon01:~# crontab -l
0 * * * * /bin/thinclient cron</pre>

During startup, your Fonera also runs “/bin/thinclient start” from /etc/init.d/N40thinclient.

Let’s see what is that thinclient about:

Firts, check that the last line of /bin/thinclient is commented, like this:

<pre># . /tmp/.thinclient.sh</pre>

Then, run the following command (It won’t upgrade your Fonera!)

<pre>root@fon01:~# sh -x /bin/thinclient start

+ echo mode=’start’ wlmac=’00:18:84:XX:XX:XX’ mac=’00:18:84:XX:XX:XX’ fonrev=’2′ firmware=’0.7.1′ chillver=’1.0-1′ thclver=’1.0′ device=’fonera’
+ ssh -T -p 1937 -i /etc/dropbear/key openwrt@download.fon.com
root@fon01:~#
</pre>

(I’ve XX’ed my MAC addresses for obvious privacy reasons).

So, here is how the Fonera start an automatic upgrade: it send by ssh some information about itself: macs, version and revision… What for?

The result of the last command is written into the /tmp/.thinclient.sh file, which is then supposed to be launched. Let’s look at it:

<pre>root@fon01:~# cat .thinclient.sh
cd /tmp
wget http://download.fon.com/firmware/update/0.7.1/2/upgrade.fon
/bin/fonverify /etc/public_fon_rsa_key.der /tmp/upgrade.fon

rm -f /tmp/.thinclient.sh

exit
</pre>

Ok, the the next step of the upgrade is to get the upgrade.fon file from FON, check it’s authenticity and extract it (fonverify)

From a Linux box (not my Fonera), I wget the file and run a hacked version of fonverify (skipping the verification of the file and only extracting it).

Running the fonverify scripts in my Linux, we will get the actual update tarball (in that case: upgrade_0713.tgz) and we will be able to see what it affects in our Fonera:

<pre>alegrome$ tar ztf upgrade_0713.tgz
bin/
bin/thinclient
etc/
etc/init.d/
etc/init.d/N45ntpclient
etc/functions.sh
etc/fon_revision
etc/banner
usr/
usr/lib/
usr/lib/webif/
usr/lib/webif/validate.awk
usr/lib/qos.sh
usr/bin/
usr/bin/haserl
www/
www/cgi-bin/
www/cgi-bin/webif/
www/cgi-bin/webif/adv_net.sh
www/cgi-bin/webif/adv_pf.sh
www/cgi-bin/webif/adv_wifi.sh
www/cgi-bin/webif/connection.sh
www/cgi-bin/webif/language.sh
www/cgi-bin/webif/password.sh
www/cgi-bin/webif/private.sh
www/cgi-bin/webif/public.sh
www/cgi-bin/webif/upgrade.sh
alegrome$
</pre>

Notice that the update from 7.1r2 to 7.1r3 modifies the /bin/thinclient script, what actually re-enabled the automatic updates! Beware of it.

ShareThis / Compartelo

Non-interactive ssh to your La Fonera

Published
by
alex
on Friday March 16th, 2007
in Fon & La Fonera
. Comments

The Dropbear mini ssh daemon doesn’t recognize $HOME/.ssh/authorized_keys files. However, you can configure authorized public keys in /etc/dropbear/authorized_keys (using the same format).

For example, you can do:

scp .ssh/id_rsa.pub root@fon01:/etc/dropbear/authorized_keys

The next time you access your Fonera box, you won’t need to enter root’s password ;-).

ShareThis / Compartelo

Shell access (ssh) on your Fonera

Published
by
alex
on Sunday March 4th, 2007
in Fon & La Fonera
. Comments

Movimiento FONRight after receiving my free La Fonera social router, I plugged it into my local home network, and registred it, as explained in the provided guide. The problem (I knew it later), is that when the Fonera boots, it connects to Fon and upgrades itself (and reconfigures itself also).

So, as I plugged my Fonera to Internet, it upgraded to the latest firmware revision, for which there is no known hack to get ssh shell access.

Today I searched for a way to succesfully downgrade my Fonera to it’s original firmware.

After trying several ways (found on the Internet) with no success, this is the way that finally worked for me:

* Configure your PC with ip 169.254.255.2/24
* Connect your PC and the Fonera with a direct cable (straight or crossover ethernet, doesn’t matter, the Fonera is smart enough)
* Press the reset button (down the fonera) for 20 seconds
* Release the button
* From the PC, ping 169.254.255.1 (As it cannot get any DHCP IP, the Fonera autoconfigure it’s eth0:1 with this zeroconf IP).
* Wait till it’s reachable (approx 2mn)

When the IP is reacheable (when the Fonera answers the ping requests), you can now apply the following hack:

Create on your PC 2 html files, with the following content:

step1.html:

step2.html

Now, open step1.html with your favorite browser and click the submit button (if your are asked for login/passwd, unless you changed it, try admin/admin). Once done, do the same with step2, and submit.

The dropbear ssh deamon should now be open on your Fonera! You can get a shell inside your Fonera: connect by ssh to 169.254.255.1 (port 22): user root and password admin, unless you changed it (the same passwd as the web UI).

Final steps are:

* Activate ssh permanently :

root@OpenWrt:~# mv /etc/init.d/dropbear /etc/init.d/S50dropbear

* Unlock firewalling rules :

root@OpenWrt:~# vi /etc/firewall.user

* Uncomment the following :

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT

* Deactivate automatic Fonera updates :

root@OpenWrt:~# vi /bin/thinclient

* Comment the following line (last one) :

#. /tmp/.thinclient.sh

At this point I had some troubles with the Fonera not catching IP by DHCP. By advice of another fonero-geek and friend (Ivan!), I set up the Fonera to use a static IP (using the MyPlace web UI), and everything worked fine. Eventually this morning I changed back the Fonera to get it’s IP by DHCP and it actually worked too.

Some sources that inspired me a lot (and more):
http://imil.net/docs/fonera-ssh.txt
http://blog.blase16.de/2006/11/28/Hacking-Fonera

ShareThis / Compartelo

Close
Powered by ShareThis