All info about telnet n ssh and command line interface....
Using Telnet
- Open the command prompt and type "telnet" (On Windows vista/7 you will need to install it from "programs and features").
- connect to <Router_LAN_IP> e.g. 192.168.1.1 so in the command prompt, this would look like:
telnet 192.168.1.1
- When asked for the username, enter root (even if you changed username in web interface)
- When asked for the password, enter your router's password (default "admin")
SSH
Overview
SSH, or Secure Shell, is an encrypted protocol and associatedprogram intended to replace telnet. It can also be used for creatingsecure tunnels, somewhat akin to Virtual Private Networks, and for useas a network file system (Sshfs). Unless changed, everything SSH operates on port 22.SSH operates just as telnet with a user/password combination oron a Public/Private key infastructure. For the latter to work, a smallpublic key is given to the server and the server gives your client itspublic key. Your client encrypts information to the server using theservers public key and the server encrypts information sent to youusing your public key. Private keys are never exchanged, and are usedto decrypt the information encrypted with the associated public key.
The DD-WRT firmware can use user/pass logon or only allowsconnections from clients whose public keys are manually entered via theweb interface. Multiple keys can be entered by placing them on separatelines.
If you want to use user/password to login using SSH use user "root" with the password you set in the webinterface
Actually you can manually set (via telnet or ssh) the sshd_authorized_keys nvram variable.ie nvram set sshd_authorized_keys=key1 key2 key3 etc
You can also manually edit /tmp/root/.ssh/authorized_keys and add keys (although these will disappear on a reboot unless you have a startup script altering them).
It is worth pointing out ssh keys are quite long strings of characters so if you paste them in youhave to be careful that you don't get any line breaks (ie it is one Long continuous line).or they will not work.
Setting Up
Public key method
Public key authentication is one of the most secure methods oflogging into SSH. It functions similar to HTTPS, as all transmissionsare encrypted with a key that only the client and server will have.Another plus...if you use this method instead of passwordauthentication, no one will be able to crack away at your router tryingto guess the password!To enable it, first you should generate a Public/Private keypair on your desktop machine. This can be done through the "Puttygen"utility if you're using either Putty or WinSCP as clients. Copy the public keyto the clipboard and save the private key somewhere on your computer.There is no need to save the public key. If you forget it, you caninstruct Puttygento open your private key file rather than generating a new key pair andit will tell you your public key. Users of non-windows environments mayuse the ssh-keygen(1) utility:
It is recommended that you don't secure your key pair with apassword, as this will make things easier for you, although somewhatless secure.user@machine:~> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
68:1c:50:0e:76:c1:d0:c7:9e:5e:5a:65:78:20:5c:fb user@machine.example.com
- Using the Web Interface, go to the Administration tab. (in v24 use Services tab)
- Under the Services sub-tab, Enable SSHd in the Secure Shell section. If new options don't appear, Save Settings
- Paste your public key in the authorized key of the SSHD section that has now expanded. You will need to generate this on your desktop if you don't have one yet.
- Save and Apply Settings
ssh-rsa AAAAB4NfaC3yc5 ... jZfYmBTi7Q== rsa-key-20101024Alternate method:
Connect with ssh (login/password :0)Remember to enter your key as an entire characters line (no space, tab...)
root@wrt54g:~# nvram set sshd_authorized_keys='ssh-rsa AAAAB4NfaC3yc5 ... jZfYmBTi7Q== rsa-key-20101024'
root@wrt54g:~# nvram commit
root@wrt54g:~# reboot
In Putty, you can enable key authentication by opening theSSH authentication configuration (Connection -> SSH -> Auth) andentering or browsing to your private key file. Also make sure yourauto-login username is root (in Connection -> Data).
Password Login method
If you don't want the hassle of generating ssh keys, you may use thepassword logon method. However, please be aware that this method ismuch less secure! (passwords may be truncated to 8 characters or less)- Using the Web Interface, go to the Administration tab. (in v24 use Services tab)
- Under the Services sub-tab, Enable SSHd in the Secure Shell section. If new options don't appear, Save Settings
- Enable Password Login to enable the password login
- Save and Apply Settings
Automatic Login (for shell scripts)
The Dropbear SSH client allows you to specify the password throughan environment variable. This is useful when you need dd-wrt toauto-login to another host via SSH.#the following requires dd-wrt v24 or later
DROPBEAR_PASSWORD='my password' ssh user@hostname
Security Tips
- Choose a random, non-standard port number >1024, especiallyif you enabled SSH access from the Internet! Most attackers will use aport scanner that only scans for common open ports by default. Scanningall 65535 ports is much slower for them, which makes it more difficultto find an attack vector and also more likely to be flagged by anIntrusion Detection System.
- Memorize, or record somewhere safe, your router's keyfingerprint! In the process of logging into your router, if you seethat the key fingerprint matches, you can rest assure noone is spyingon your connection (i.e. via man-in-the-middle attack). If the keyfingerprint does NOT match (your SSH client would likely notify you ofthis), something is wrong and you should consider terminating theconnection immediately! (Note: the router's key fingerprint may changeupon reset and/or upgrade, as it will likely generate a new key pair)
- For even more added security when using the public keymethod, you can password protect your private key. This way, if someonemalicious happens to get ahold of it, they will still not be able tolog into your router without first cracking the password of the key.Otherwise, if the keys are unprotected, anyone who stumbles upon themcould likely gain immediate root access to your router and network.
SSH Shell Client
Provides a secure alternative to standard telnet.A good Windows Client to use is Putty
Configure the client to use the Private Key you saved earlier.
Most Linux distros have telnet and SSH clients by default.
SSH Port Forwarding
SSH port forwarding is the ability to create encrypted tunnels topass traffic through, sort of like a VPN. Below we will discuss twodifferent approaches to SSH port forwarding; Local, and RemoteLocal Port Forwarding
A real world example:Suppose you have enabled remote SSH management on your router sothat you can access it from anywhere on the internet. You wisely leftremote HTTP and HTTPS management disabled (HTTP because it's insecureover the internet, HTTPS because it's resource intensive) but now youcan't connect directly to the Web Interface of your router... or so youthought ;)
This is where SSH port forwarding comes in. It makes itpossible to have secure communication to the router's Web Interfacewhich is really only listening for connections on the LAN interface.
Open up your SSH client and set up a Local port forward todestination localhost:80. Once the SSH connection is up, now youconnect to your own machine's source port eg. http://localhost:81*and it creates a secure tunnel to the Web Interface of the router. Nomore worries about someone spying on your router's traffic and/orpassword!
- 81 will be replaced with whatever port you have set for sshlocally on the router. For more information related to the tunnel setupsee here:
Requirements
- Remote SSH Management should be enabled, under Administration-> Management. (Note: For local forwards, this is only required ifyou're SSH'ing directly into the router from the WAN. Local forwardscan be of many other uses as well, such as tunneling traffic betweentwo LAN machines, or even over the Internet.)
Setup
Setting up a local port forward is relatively straightforward when using the PuTTY utility under Windows.See Connections -> SSH -> Tunnels. Make sure your configuration includes parameters as illustrated above. Namely,- Source port (port # on your computer)
- Destination IPAddress:Port (target machine and port #)
- Type: Local
Remote Port Forwarding
This is useful to tunnel things like RDP (Remote Desktop) through anencrypted SSH tunnel over the internet. For example, you want to beable to access your work computer from home.If you had:
HomePC <-> Router <-> Internet <-> Firewall <-> WorkPC
WorkPC, which is running RDP on port 3389, issues ssh -R 5555:localhost:3389 root@router.home
HomePC can use his RDP client to connect to port 5555 on therouter and this would create an SSH tunnel which will connect HomePC toport 3389 on the WorkPC.
Requirements
- DD-WRT v24 RC7+
- SSHd and SSH TCP Forwarding must be enabled under Services -> Secure Shell
- Remote SSH Management should be enabled as well, under Administration -> Management
Setup
Setting up a remote port forward is relatively straightforward when using the PuTTY utility under Windows.See Connections -> SSH -> Tunnels. Make sure your configuration includes parameters as illustrated above. Namely,- Local and Remote ports should accept connections from other hosts
- Source port (port # on the router, should be > 1024)
- Destination IPAddress:Port
- Type: Remote
SCP
Secure Copy (SCP) allows one to copy files to and from the router and a remote host--usually a desktop machine.Some good Windows clients to use are FileZilla and WinSCP.
Configure the client to use the Private Key you saved earlier, or use "root" and the webinterface password
Remember: only the /tmp and /jffs partitions are writable!
Drop Bear
DropBear is an SSH client/server installed by default on the WRT54G.DropBear allows one to connect from the WRT54G to a remote SSH serverfor scp, etc. I don't believe SSHD needs to be enabled through the Web Interface in order to use the client portion of DropBear.If you have an SSH server on your desktop machine (such as OpenSSH) you pull files from your desktop machine using the scp command. This can be used to copy files from your desktop machine in a Startup Script
The DD-WRT Command Line
aka the DD-WRT Linux shellThis is an 'ash' shell. Ash is a version of sh, literally 'A SHell' (A command Interpreter)
Basic Syntax
The Linux Command Shell (Ash) is not the same as the Windows/DOS command prompt./ (and not \) is used to separate directories in a path, just like the interweb.
In order to execute a command, the path for that command must be provided. This may either be a full path or a relative path.
Relative Path Operators
There are two relative path operators.. The current path
.. One directory above the current path
Examples
1) If you are in the /jffs/usr/bin directory and wish to run the /jffs/usr/bin/noip command use:/jffs/usr/bin # /jffs/usr/bin/noipor
/jffs/usr/bin # ./noip
2) If you are in the /jffs/usr/bin directory and wish to run the /jffs/usr/kismet command use:
/jffs/usr/bin # /jffs/usr/kismetor
/jffs/usr/bin # ../kismetor
/jffs/usr/bin # cd ..
/jffs/usr # ./kismet
3) Relative paths can also be used as arguments. If you installed the noip package, you'd notice that the command is installed as /jffs/usr/bin/noip but its configuration file is installed as /jffs/etc/no-ip.confWhen running noip, it is thus required to give it the path to itsconfiguration file with the -c command. This can be done like:
/jffs/usr/bin # ./noip -c /jffs/etc/no-ip.confor
/jffs/usr/bin # ./noip -c ../../etc/noip.confnotice that the first ../ brings us to /jffs/usr/. The second ../ brings us to /jffs/, and then the rest of the path can be appended.
4) While the other examples all showed how to save typing, youcan also really screw around with relative paths. To launch the noipcommand in example 1, you could also use
/jffs/usr/bin # ../../../jffs/./usr/./bin/././../bin/././noipHere we browse all the way back to the root / directory, then climb back up to /jffs/usr/bin, drop back down to /jffs/usr and then climb back up to /jffs/usr/bin.
Current path references of /./ are thrown in sporadically just to mix things up. Notice how /./ always references the then current path, not the original path of the shell when the command was entered.
Pipes and Redirects
The output of commands can be piped through other commands or redirected to devices and files.< and > are the redirect operators. < Takes input from a device or file and routes it as input to the command given. > Takes output from a command and redirects it as input for a device or file.Ex: If you don't want to see the output of a command, redirect it to the null device:
command > /dev/null| is the pipe character, and pipes the output through another command (for formatting, etc)Ex: the most common use of the pipe is to limit the output of a command:
command | moreThis is extremely useful for commands like nvram show which list some 800-1200 lines. nvram show | more will list the results 1 page at a time.
Background processes
It is possible to run programs in the background (returning you tothe command prompt immediately) by terminating your command with the & character.ex:command &Make sure you add a space between your command and the ampersand or you will result with a File not found error.
WEB-GUI (http[s]) Special note
The built-in WEB-GUI command line interface (Diagnostics.asp page) allows only about 200 characters max per line.Special characters such as " or | must be entered after a \
Example, if you want to set a text nvram value:
Instead of
nvram set svqos_svcs="edonkey p2p 0:0 40 | bittorrent p2p 0:0 40 |"Enter
nvram set svqos_svcs=\"edonkey p2p 0:0 40 \| bittorrent p2p 0:0 40 \|\"
Basic Commands
<command> -h The -h flag almost always provides help on a command. Use it!
ls List the contents of the current directory
cd <directory or full path> Change to that directory or path
cp <source> <destination> Copy the source file to the destination
cp -r <source> <destination> Copy the source directory to the destination directory
mv <source> <destination> Move the source file to the destination
mkdir <directory name> Create a new directory
wget <URI> Download the file at the given URI to the current path
tar -xz -f <file> un-gzip and un-tar the given *.tgz or *.tar.gz file
rm <file> Delete the file
rm -r <directory> Delete the directory and all contents
killall <program name> Kill all running processes of the program
ps Show running processes
top Show running processes in a graphical frontend
0 comments:
Post a Comment