Forwarding ssh credentials

rzighel · October 3, 2019, 4:02pm

Hello;

Can dropbear be configured so it forwards ssh credentials?

Network has a border OpenWRT router, and a bridge OpenaWRT.
My management station is connected to the bridge, and cannot directly ssh (or anything else) to it. I have to jump of the border router. I would like to turn off password authentication in the bridge, and I do not want to install the private id in the router.

mikma · October 3, 2019, 5:07pm

The dropbear server seems to allow forwarding of the connection to the authentication agent by default. Have you enabled it in your ssh client? It's usually "-A" on the command line, which is also supported by the dropbear ssh client.

jeff · October 3, 2019, 6:02pm

Use of the ProxyJump directive on the "desktop" you use to access the inside host can be helpful as well. As an example (check man ssh_config for more details):

Host 10.0.0.*
  ProxyJump jeff@router.example.com:1234

This will connect to jeff@router.example.com:1234, then initiate the ssh to jeff@10.0.0.nnn transparently (save for auth).

rzighel · October 3, 2019, 6:37pm

From MacOS...

This is what I get when trying:

Rauls-MBP:.ssh rzighel$ ssh-add
Identity added: /Users/rzighel/.ssh/id_rsa (rzighel@Rauls-MBP.lan)
Rauls-MBP:.ssh rzighel$ ssh -vA confusion
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/rzighel/.ssh/config
debug1: /Users/rzighel/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to confusion port 22.
debug1: Connection established.
debug1: identity file /Users/rzighel/.ssh/id_rsa type 0
debug1: identity file /Users/rzighel/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version dropbear
debug1: no match: dropbear
debug1: Authenticating to confusion:22 as 'rzighel'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:JMeQUZdEm3dE/LDG3rLVm9WyxlMpSFu6lqQ9eFFkRhM
debug1: Host 'confusion' is known and matches the RSA host key.
debug1: Found key in /Users/rzighel/.ssh/known_hosts:5
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: Will attempt key: /Users/rzighel/.ssh/id_rsa RSA SHA256:YzdGZfApERv+SVpmQ1J4+tyLUpzssv4fLIaf13rVrf0 explicit agent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/rzighel/.ssh/id_rsa RSA SHA256:YzdGZfApERv+SVpmQ1J4+tyLUpzssv4fLIaf13rVrf0 explicit agent
debug1: Server accepts key: /Users/rzighel/.ssh/id_rsa RSA SHA256:YzdGZfApERv+SVpmQ1J4+tyLUpzssv4fLIaf13rVrf0 explicit agent
debug1: Authentication succeeded (publickey).
Authenticated to confusion ([192.168.10.1]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r10750-7ec092e641
 -----------------------------------------------------
rzighel@Confusion:~$ ssh -A restoration
debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 1 win 24576 max 32759
debug1: channel 1: new [authentication agent connection]
debug1: confirm auth-agent@openssh.com
rzighel@restoration's password: ```

jeff · October 3, 2019, 7:35pm

Are the ssh utils installed on your router?

vgaetera · October 3, 2019, 8:17pm

You can simply connect to the destination host directly.
Add a route, or port forwarding, or set up a VPN if required.

rzighel · October 3, 2019, 8:45pm

That's correct. I am "ssh -L ..."
Now, does it make sense for me to set a VPN to ssh to a system in the same network?

I also considered adding a second opinion to my Mac, but then I would have to do it to every machine I try to use... Can you add a second ip to an iPad?

lleachii · October 3, 2019, 8:48pm

If you ssh -L then you simply run another SSH on the port you tunneled.
Also, @vgaetera's idea will work too.

vgaetera · October 3, 2019, 8:54pm

Why is that?

It looks like a routing issue.

jeff · October 3, 2019, 8:57pm

Another approach, if you consider your inside target's SSH implementation sufficiently secure to expose, would be to forward a port on your public IP (call it 1234) to your target's SSH port (typically 22). You could then access it from the outside as

ssh you_on_your_target@your.public.ip:1234

rzighel · October 3, 2019, 9:19pm

I can't connect directly because the lan interface on the bridge is not on the IP network of the wireless network...

https://openwrt.org/docs/guide-user/network/wifi/relay_configuration