Jump to content

Advanced AutoSSH Features


fringes
 Share

Recommended Posts

I've submitted some autossh feature requests including this one to support multiple port forwards and alternate SSH server ports. I know Seb has a lot on his plate before getting to these, so I was messing around and cloned AutoSSH, adding an "Advanced Settings" feature (mostly copy/pasting). Obviously, I can continue to modify the /etc/config/autossh file manually, but I wondered if this idea would get any traction, as it's so simple to implement.

Basically, I just modified includes/content/setup.php to add the following:

$args = exec("uci show autossh.@autossh[0].ssh | cut -f2- -d'='");

and:

<br />
<fieldset>
  <legend>Advanced Settings</legend>

  <form method="POST" action="/components/infusions/myautossh/functions.php?action=advancededit" id="advancedAutossh" onSubmit="$(this).AJAXifyForm(update_message); return fals
    <table>
      <tr><td>Advanced args:</td><td><input name='args' type='text' placeholder='<?=$args?>' value='<?=$args?>' size='150'</td></tr>
      <tr><td><input type='submit' name='submit' value='Save'></td></tr>
    </table>

  </form>
</fieldset>

And modified functions.php to add:

  if($_GET['action'] == "advancededit"){
    echo save_args($_POST['args']);
  }

and:

function save_args($args){
  exec('uci set autossh.@autossh[0].ssh="'.$args.'"');
  exec('uci commit autossh');
  return "<font color='lime'>AutoSSH configuration updated.</font>";
}

How would I make only one selected FieldSet/form active (Settings/Advanced Settings)?

I use autossh for more than one port forward (22 & 1471), and my SSH server port isn't 22. I'd also like to be able to access a remote mysql (-L 3306:localhost:3306). This feature allows me to do that from the UI.

Any thoughts or comments?

Link to comment
Share on other sites

It's a good feature request and you're right, both my and Seb's plates are very full as we scream full steam ahead into defcon. I'd like not to feature creep, however I absolutely love your suggestions.

Can you describe in detail the $args addition you've coded above? It's been a while since I've used the autossh feature (switched to openvpn) and I'm rusty. How does one add ports using this advanced settings?

Also can you clarify:

How would I make only one selected FieldSet/form active (Settings/Advanced Settings)?

I don't quite understand.

Very much appreciate the input and would love to get this rolled into the official build.

Cheers!

D

Link to comment
Share on other sites

I (and a couple of others) had made some autossh infusion feature requests including multiple port forwards (-R and -L), different remote SSH port (-p), configuration backup, and multiple remote servers.

I currently: use my key from /root/.ssh, port forward both SSH and 1471, and connect to my server on a non-standard SSH port (necessity, not choice).

Since it looks like a lot of other items have higher priority, I thought I'd have a look at the existing system infusion myself to see what it would take. The existing code doesn't actually parse the /etc/config/autossh option ssh arguments, it just assumes each of the three arguments displayed are in a certain position. I had originally planned to see if I could improve the parsing of the args, but a simpler (stop-gap) measure seemed to just display/edit the entire argument list. I copy/pasted the relevant pieces of existing code and just tweaked them for my purposes. The $args= line just uses "uci show" (exactly like the other field parsers, except it grabs the entire arg list (everything after the "=" in the string returned by uci). I also added page refresh following the save. I tried to make as few changes as possible, while keeping the code style and techniques the same.

Regarding "only one selected FieldSet/form active (Settings/Advanced Settings)," I just wanted either the advanced or default options displayed, not both at the same time. I'd just have to play with showing/hiding divs or tables, but I don't think that's even necessary now.

So you're using OpenVPN with the pineapple? How's that working? We need an infusion for that. You did a segment (following your European tour) on switching to openVPN using Untangle. Some friends and I each tried to do that independently, and it seems that there was no way (via the UI) to get all client traffic to go through the tunnel. I believe they've finally fixed that with "full tunnel" option but I haven't tried it yet. Did you ever check your client IP after connecting? I ended up installing and configuring an openVPN server manually. It wasn't too difficult, you should do a show on that.

Link to comment
Share on other sites

Ok I see what you're doing now. I'll get this into the next autossh infusion update. Thanks for taking this on!

re: openvpn - it works like a charm. Here's a writeup: https://forums.hak5.org/index.php?/topic/32784-how-to-tunnel-mk5-through-vpn/

I'm working on the infusion. Hopefully will get it done before I leave for toorcamp, else it'll be a week+

Link to comment
Share on other sites

Ok I see what you're doing now. I'll get this into the next autossh infusion update. Thanks for taking this on!

re: openvpn - it works like a charm. Here's a writeup: https://forums.hak5.org/index.php?/topic/32784-how-to-tunnel-mk5-through-vpn/

I'm working on the infusion. Hopefully will get it done before I leave for toorcamp, else it'll be a week+

Thanks Darren...

FYI, the changes I made work well for me, but you or Seb might want that field to be optional.

RE: re: openvpn - see the option ( push "redirect-gateway def1 bypass-dhcp")? That is what Untangle wouldn't do until recently. (They apparently do this via the new "Full Tunnel" option now. I haven't tried it.) You never resolved this on the show, and I was afraid you were connecting to your VPN, but weren't actually re-directing your internet traffic through it. I set up my own OpenVPN server the same way you did. The hardest part about the whole thing is the certificate management and distribution. I still use Untangle for some firewalls (when I'm not using Smoothwall Express).

I'm really looking forward to the infusion; I'll be watching for it.

The SSH tunnels will always be useful and I don't see the VPN replacing them for all purposes. I expect someone will find an application that requires a large database that they could not otherwise use without port forwarding the connection (-L) from a remote server.

Oh and before I forget, there's a group of options you can add to the authorized_keys file on the server to prevent your server from being compromised should someone compromise your pineapple and get the SSH keys. I don't recall you covering them on the show when you did the SSH segments, so I thought it'd be a good idea to mention them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...