Table of Contents

SSH Tutorials

Creating an SSH Tunnel

Creating an SSH Tunnel with IPCOP is another way to create an encrypted tunnel between your computer and IPCOP. This allows for remote access to computers behind IPCOP without additional software (such as OpenVPN).

  1. Enable External Access to IPCOP on port 222 (Firewall – External Access)
  2. Connect to IPCOP via SSH using:
      ssh -p 222 -N -f -L 12345:10.0.0.20:23 root@ipcop.fqn


where 12345 is the local port to listen on, 10.0.0.20 is the remote computer, 23 is the port on the remote computer, and ipcop.fqn is the address of your IPCOP box. 

      Full explanation of options specified before:
      -p 222  
      SSH port.  
       
      -N  
      Run SSH background without terminating.  
       
      -f  
      Run SSH in the background.  
       
      -L  
      SSH port forwarding tunnel specified by the next parameters.  
       
      12345  
      The local port.  
       
      10.0.0.20  
      Remote server.  
       
      23  
      Remote port number.  
       
      root@ipcop.fqn  
      Specifies to connect to use your IPCOP firewall.

If you are on Windows, you can create a tunnel by doing the following:

  1. Connect via ssh
  2. Right click on the name bar and select change settings
  3. On the left side, select connecion – ssh – tunnels
  4. Under source port put 1000 (this will be the port we will use on our connecting program)
  5. Under destination put [ip.of.remote.computer]:[port of remote server] (this is the port we want to connect to)
    • For RPD, use remote port 3389
    • For VNC, use remote port 5800
    • For MySQL, use remote port 3306
  6. Click add
  7. Click apply
  8. Open your remote control program
    • For RDP, open Remote Desktop Connection
    • For VNC, open VNC viewer
    • For MySQL, open MySQL Administrator or MySQL Query Browser as needed
    • If you only have one line for remote computer
      Enter 127.0.0.1:1000 for computer to connect to
    • If you have a line for computer and port
      Enter 127.0.0.1 for remote computer and enter 1000 for remote port
  9. Click connect

SSH with Private Keys

You may want to allow access to IPCOP without having to use username/password. The following tutorial is designed to assist in the creation with Windows users using Putty.

Creating public/private keys with PuttyGen

    Figure 1: 	PuttyGen Initial Menu
  1. Under the parameters section, make sure SSH-2 RSA is selected
  2. Click on ’Generate’

    Figure 2: 	PuttyGen Generating Keys

    Figure 3: 	PuttyGen Personalize Settings
  1. Set your comment
  2. Enter a passphrase
  3. Reenter a passphrase

    Figure 4: 	PuttyGen Personalized Settings
  1. Save the public key (we will use this file in the additional steps section)
  2. Save the private key
  3. Copy the key string (in the above example, it starts with ’AAAAB’ and ends with ’fbV8’)

Enable SSH on IPCOP with public key

Connect to IPCOP via SSH (on Windows use Putty).

  1. Run the following commands:
      cd /root  
      mkdir .ssh  
      chmod 700 .ssh  
      cd .ssh  
      touch authorized_keys2  
      chmod 600 authorized_keys2  
      vi authorized_keys2
  1. Go into insert mode (i)
  2. Paste the public key (right click)
  3. Exit vi
      <Esc> :wq!
Optional Additional Security

The following are steps you may want to take. If you change the SSH settings via the web interface, you will have to reset these options. We will be editing the SSH file located at /etc/ssh/sshd_config

  1. Disable SSH1
    • Find:
      Protocol 2,1
      Protocol 2
  1. Disable Password Authentication
    • Find:
      PasswordAuthentication yes
      PasswordAuthentication no
  1. Allow TCP Forwarding
    • Find:
      AllowTcpForwarding no
      AllowTcpForwarding yes

Now you need to reload the configuration file by doing the following: 

      kill -HUP ’cat /var/run/sshd.pid’

Connecting to IPCOP with public keys - Putty

To connect to IPCOP with your public keys, do the following:

Figure 5: Putty Public Key Setup

  1. Open Putty
  2. Goto Connection – SSH – Auth (see Figure 5)
  3. Specify your private key file

Connecting to IPCOP with public keys - Additional steps

If you are having problems connecting to IPCOP with an error message of ’Server refused our key’, do the following:

  1. Copy the public key file to IPCOP (see section 3.8).
  2. Run the following commands:
    • To add to your public key file
      ssh-keygen -i -f /path/to/public_key >> ~/.ssh/authorized_keys2
    • To replace your public key file
      ssh-keygen -i -f /path/to/public_key > ~/.ssh/authorized_keys2