Advanced AutoSSH Features

[fringes]

I've submitted some autossh feature requests including this one to support multiple port forwards and alternate SSH server ports. I know Seb has a lot on his plate before getting to these, so I was messing around and cloned AutoSSH, adding an "Advanced Settings" feature (mostly copy/pasting). Obviously, I can continue to modify the /etc/config/autossh file manually, but I wondered if this idea would get any traction, as it's so simple to implement.

Basically, I just modified includes/content/setup.php to add the following:

$args = exec("uci show autossh.@autossh[0].ssh | cut -f2- -d'='");

and:

<br />
<fieldset>
  <legend>Advanced Settings</legend>

  <form method="POST" action="/components/infusions/myautossh/functions.php?action=advancededit" id="advancedAutossh" onSubmit="$(this).AJAXifyForm(update_message); return fals
    <table>
      <tr><td>Advanced args:</td><td><input name='args' type='text' placeholder='<?=$args?>' value='<?=$args?>' size='150'</td></tr>
      <tr><td><input type='submit' name='submit' value='Save'></td></tr>
    </table>

  </form>
</fieldset>

And modified functions.php to add:

  if($_GET['action'] == "advancededit"){
    echo save_args($_POST['args']);
  }

and:

function save_args($args){
  exec('uci set autossh.@autossh[0].ssh="'.$args.'"');
  exec('uci commit autossh');
  return "<font color='lime'>AutoSSH configuration updated.</font>";
}

How would I make only one selected FieldSet/form active (Settings/Advanced Settings)?

I use autossh for more than one port forward (22 & 1471), and my SSH server port isn't 22. I'd also like to be able to access a remote mysql (-L 3306:localhost:3306). This feature allows me to do that from the UI.

Any thoughts or comments?

[Darren Kitchen]

It's a good feature request and you're right, both my and Seb's plates are very full as we scream full steam ahead into defcon. I'd like not to feature creep, however I absolutely love your suggestions.

Can you describe in detail the $args addition you've coded above? It's been a while since I've used the autossh feature (switched to openvpn) and I'm rusty. How does one add ports using this advanced settings?

Also can you clarify:

How would I make only one selected FieldSet/form active (Settings/Advanced Settings)?

I don't quite understand.

Very much appreciate the input and would love to get this rolled into the official build.

Cheers!

D

[fringes]

I (and a couple of others) had made some autossh infusion feature requests including multiple port forwards (-R and -L), different remote SSH port (-p), configuration backup, and multiple remote servers.

I currently: use my key from /root/.ssh, port forward both SSH and 1471, and connect to my server on a non-standard SSH port (necessity, not choice).

Since it looks like a lot of other items have higher priority, I thought I'd have a look at the existing system infusion myself to see what it would take. The existing code doesn't actually parse the /etc/config/autossh option ssh arguments, it just assumes each of the three arguments displayed are in a certain position. I had originally planned to see if I could improve the parsing of the args, but a simpler (stop-gap) measure seemed to just display/edit the entire argument list. I copy/pasted the relevant pieces of existing code and just tweaked them for my purposes. The $args= line just uses "uci show" (exactly like the other field parsers, except it grabs the entire arg list (everything after the "=" in the string returned by uci). I also added page refresh following the save. I tried to make as few changes as possible, while keeping the code style and techniques the same.

Regarding "only one selected FieldSet/form active (Settings/Advanced Settings)," I just wanted either the advanced or default options displayed, not both at the same time. I'd just have to play with showing/hiding divs or tables, but I don't think that's even necessary now.

So you're using OpenVPN with the pineapple? How's that working? We need an infusion for that. You did a segment (following your European tour) on switching to openVPN using Untangle. Some friends and I each tried to do that independently, and it seems that there was no way (via the UI) to get all client traffic to go through the tunnel. I believe they've finally fixed that with "full tunnel" option but I haven't tried it yet. Did you ever check your client IP after connecting? I ended up installing and configuring an openVPN server manually. It wasn't too difficult, you should do a show on that.

[Darren Kitchen]

Ok I see what you're doing now. I'll get this into the next autossh infusion update. Thanks for taking this on!

re: openvpn - it works like a charm. Here's a writeup: https://forums.hak5.org/index.php?/topic/32784-how-to-tunnel-mk5-through-vpn/

I'm working on the infusion. Hopefully will get it done before I leave for toorcamp, else it'll be a week+

[fringes]

Ok I see what you're doing now. I'll get this into the next autossh infusion update. Thanks for taking this on!

re: openvpn - it works like a charm. Here's a writeup: https://forums.hak5.org/index.php?/topic/32784-how-to-tunnel-mk5-through-vpn/

I'm working on the infusion. Hopefully will get it done before I leave for toorcamp, else it'll be a week+

Thanks Darren...

FYI, the changes I made work well for me, but you or Seb might want that field to be optional.

RE: re: openvpn - see the option ( push "redirect-gateway def1 bypass-dhcp")? That is what Untangle wouldn't do until recently. (They apparently do this via the new "Full Tunnel" option now. I haven't tried it.) You never resolved this on the show, and I was afraid you were connecting to your VPN, but weren't actually re-directing your internet traffic through it. I set up my own OpenVPN server the same way you did. The hardest part about the whole thing is the certificate management and distribution. I still use Untangle for some firewalls (when I'm not using Smoothwall Express).

I'm really looking forward to the infusion; I'll be watching for it.

The SSH tunnels will always be useful and I don't see the VPN replacing them for all purposes. I expect someone will find an application that requires a large database that they could not otherwise use without port forwarding the connection (-L) from a remote server.

Oh and before I forget, there's a group of options you can add to the authorized_keys file on the server to prevent your server from being compromised should someone compromise your pineapple and get the SSH keys. I don't recall you covering them on the show when you did the SSH segments, so I thought it'd be a good idea to mention them.