This article attempts to give a step by step guide to access your home network
securely from anywhere using SSH forwarding (internet connection is a must of
course). For completion's sake (don't ask me who completion is, i don't know him
as well), I will also be covering the steps on how to configure your linux
machine to only accept private keys as an authentication method in this article.
There are always assumptions, this one assumes that:
1) You have a linux machine connected to the internet thru your home network
2) You have OpenSSH already installed on your linux machine
3) You already have ssh access
4) You're router is configured to forward port 22 to the linux machine running
OpenSSH
5) You're connecting to your linux machine remotely via a Windows PC/notebook
(Connecting via Mac or linux is also possible but will not be covered here)
6) This article is targeted for ReadyNAS and NSLU2 (running uNSLUng firmware)
owners but is also applicable to any linux machine
Great, then let's start
Install Putty and generate you own private keys
===============================================
1) Download and install
Putty
on your PC (client)
2) Open Puttygen, click on the
SSH-2 RSA radio button and click on
Generate. You may change the
Key comment to anything you want.
It would help to be descriptive.
3) Enter a Key passphrase. Make sure its a phrase and not a single word,
also make sure it's known only to you. Then click on
Save private key.
Now you have a private key, don't close Puttygen yet
Configure your login to use Public Keys
=======================================
1) SSH into your linux machine (let's call this ssh_server) using your favorite
login
2) Create the .ssh directory
cd ~
mkdir .ssh
chmod 700 .ssh
3) Go back to Puttygen and copy the
Public key for pasting into OpenSSH
authorized_keys file:. It will look someting like:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAje3r9k2PV1TyDOAZ0E/bG4t+NNxeH3c8hJmA1ayaFboA0Y
61bfnwKJaFh3eN8aCI7r5CgybTgPUP06KSb1mql2NR+m7L6rwtAnqrAUg9Kx6Ocr9zZ2DgCFnKlG
njte7rh8le05R8l+oThf3PQyvWu68sJUMtCW7P3Ka/ikwv7xM= rsa-key-20080605
4) Now in your SSH session create the authorized_keys file:
cd ~/.ssh
vi authorized_keys
Then paste the public key that you copied from Puttygen.
6) Close Puttygen and make sure the authorized_keys are not accessible by
anyone else
chmod 600 authorized_keys
7) DON"T CLOSE YOUR CURRENT SSH SESSION YET! We still need to test out the keys
you created using Putty. Type in the ip address of your linux machine and choose
SSH for connection type. Go to Category-> Connection-> SSH-> Auth then click on
Browse and select the Private key you saved earlier. Now click on Open
and try to login. You should be prompted with something like:
login as: root
Authenticating with public key "root@Corinthian"
Passphrase for key "root@Corinthian":
Now type in the passphrase you entered in Puttygen and you should be logged in.
Hooray!
8) Then we need to edit the sshd_config so that we prevent anyone from logging
in without the Private key
vi /etc/ssh/sshd_config
Look for the PasswordAuthentication option, uncomment it and make sure it looks
like
PasswordAuthentication no
9) Reload the sshd_config so that the changes are applied:
/etc/init.d/ssh reload -- if using a ReadyNAS device or a machine running Debian
/opt/etc/init.d/S**sshd -- if using an NSLU2 running uNSLUng firmware (change ** accordingly)
NOTE THAT MAKING THE ABOVE CHANGES TO sshd_config WILL PREVENT ANYONE FROM
LOGGING IN TO YOUR LINUX MACHINE VIA SSH INCLUDING YOURSELF! IF YOU LOSE YOUR
KEYS YOU WILL HAVE NO WAY TO SSH INTO YOUR LINUX MACHINE (ReadyNAS users can
do a firmware re-install to reset the sshd_config and NSLU2 users running
uNSLUng can enable telnet via the Admin Page)
Use SSH Forwarding to access your home network from any internet connected PC
=============================================================================
You can use SSH forwarding to forward ports to any ip on your home network.
Let's say your ssh_server also runs a web service like a bittorent web UI
listening on port 8082 that you want to access remotely:
1) Open up Putty and key in the remote ip of your router (or your router's
dynamic dns name if you have one) load the private key as used in option 9 of
Configure your login to use Public Keys above
2) Go to Category-> Connection-> SSH-> Tunnels
3) On your
Source port enter 8082, on your
Destination enter
localhost:8082 and click on the
Local radio button then click on
Add
4) Click on Open and login
5) Once you're logged in, open your favorite browser and type in
http://localhost:8082 in the address bar. You should now see your bittorrent
web client ;)
So what exactly happened? What we just did is tell our SSH connection that
all traffic on port 8082 on the client will be forwarded to
port 8082 of ssh_server which is where the bittorrent web UI is running.
But what if you want to access an svn repository that is running on a
different server in your network? You can also access that by telling SSH to
forward to a 3rd host. Assuming your svn_server has an internal ip of
192.168.1.90 and is listening on the default port 3690:
Source port 3690, Destination 192.168.1.90:3690, Local
Then on your svn browser use svn://localhost to access your repository
It doesn't end there. You can use it for VNC, Remote Desktop Connection,
and yes and even remote printing or mounting samba shares remotely.
Hope you find this useful. Cheers!