[Cerowrt-devel] Router ssh access unavailable on custom build

[Cerowrt-devel] Router ssh access unavailable on custom build

[Ranga Krishnan]

[-- Attachment #1: Type: text/plain, Size: 1703 bytes --]

Dave,

Appreciate any suggestions debugging the problem below. 

I finally flashed a build I made onto the router and it seems to boot fine and
is broadcasting the two SSIDs I programed into it but I cant ssh into the router, 
neither through wireless nor an ethernet cable. 

----------------xxxxxxxxx--------------------
$:OpenWireless ranga$ ssh root@172.30.42.1
ssh: connect to host 172.30.42.1 port 22: Connection refused
----------------xxxxxxxxxx-------------------

All ports except 53 seem to be blocked. Even the webserver 
we have running on 80/443 is not responding. 

-----------------------xxxxxxxxxxxx-----------------------
$:OpenWireless ranga$ nmap 172.30.42.1

Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-06 07:23 PDT
Nmap scan report for 172.30.42.1
Host is up (0.0010s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
53/tcp open  domain

Nmap done: 1 IP address (1 host up) scanned in 2.59 seconds
----------------------xxxxxxxxxxxxx-----------------------

I started with the etc directory in 3.10.40-6 and removed a few things
and made some changes in /etc/config. I kept the /etc/config/firewall
file unchanged. So I am not sure if it is the firewall blocking the ports.
Here is a link to the /etc I placed in cerowrt/files directory to have it 
compiled into the build. 

https://github.com/TWEFF/OpenWireless/tree/master/etc

Could it be that when building, the permissions with which
the files are being created in the firmware image are not what 
they need to be, and this is causing the problems I am seeing ?
Is there any way to analyze the firmware image without flashing
it onto a router ?

Thanks,
Ranga



[-- Attachment #2: Type: text/html, Size: 2209 bytes --]

Re: [Cerowrt-devel] Router ssh access unavailable on custom build

[Dave Taht]

[-- Attachment #1: Type: text/plain, Size: 2332 bytes --]

I would check for the presence of the dropbear-xinetd package and
/etc/xinetd.conf and xinetd.d/ssh

Openwrt uses dropbear (a lightweight ssh clone) directly. Cero uses xinetd
for extra security.

As for your other issues, a 3.3v serial cable is invaluable in
circumstances like this, I typically use a bus pirate to get onto the 4
header pins in the router.

On Jul 6, 2014 10:33 AM, "Ranga Krishnan" <ranga@eff.org> wrote:
>
> Dave,
>
> Appreciate any suggestions debugging the problem below.
>
> I finally flashed a build I made onto the router and it seems to boot
fine and
> is broadcasting the two SSIDs I programed into it but I cant ssh into the
router,
> neither through wireless nor an ethernet cable.
>
> ----------------xxxxxxxxx--------------------
> $:OpenWireless ranga$ ssh root@172.30.42.1
> ssh: connect to host 172.30.42.1 port 22: Connection refused
> ----------------xxxxxxxxxx-------------------
>
> All ports except 53 seem to be blocked. Even the webserver
> we have running on 80/443 is not responding.
>
> -----------------------xxxxxxxxxxxx-----------------------
> $:OpenWireless ranga$ nmap 172.30.42.1
>
> Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-06 07:23 PDT
> Nmap scan report for 172.30.42.1
> Host is up (0.0010s latency).
> Not shown: 999 closed ports
> PORT   STATE SERVICE
> 53/tcp open  domain
>
> Nmap done: 1 IP address (1 host up) scanned in 2.59 seconds
> ----------------------xxxxxxxxxxxxx-----------------------
>
> I started with the etc directory in 3.10.40-6 and removed a few things
> and made some changes in /etc/config. I kept the /etc/config/firewall
> file unchanged. So I am not sure if it is the firewall blocking the ports.
> Here is a link to the /etc I placed in cerowrt/files directory to have it
> compiled into the build.
>
> https://github.com/TWEFF/OpenWireless/tree/master/etc
>
> Could it be that when building, the permissions with which
> the files are being created in the firmware image are not what
> they need to be, and this is causing the problems I am seeing ?
> Is there any way to analyze the firmware image without flashing
> it onto a router ?
>
> Thanks,
> Ranga
>
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>

[-- Attachment #2: Type: text/html, Size: 3176 bytes --]

Re: [Cerowrt-devel] Router ssh access unavailable on custom build

[Michael Richardson]

Ranga Krishnan <ranga@eff.org> wrote:
    > Appreciate any suggestions debugging the problem below.

    > I finally flashed a build I made onto the router and it seems to boot fine and
    > is broadcasting the two SSIDs I programed into it but I cant ssh into the
    > router,
    > neither through wireless nor an ethernet cable.

So I had this problem for along time and I finally figured out that it was
because I had two routes to my cerowrt, and my desktop usually picked the one
where it's origin address was not in 172.30.42.1/27, but that IP was in fact
still reachable...

    > ----------------xxxxxxxxx--------------------
    > $:OpenWireless ranga$ ssh root@172.30.42.1
    > ssh: connect to host 172.30.42.1 port 22: Connection refused
    > ----------------xxxxxxxxxx-------------------

    > All ports except 53 seem to be blocked. Even the webserver
    > we have running on 80/443 is not responding.

Well, I had web access to the device.
You'll have to get the 3.3V USB connector, I think.
I ordered 10 from AliExpress a few weeks ago... I haven't a clue if they are
easy to add or no.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

Re: [Cerowrt-devel] Router ssh access unavailable on custom build

[Ranga Krishnan]

[-- Attachment #1: Type: text/plain, Size: 1404 bytes --]


On Jul 6, 2014, at 11:00 AM, Dave Taht <dave.taht@gmail.com> wrote:

> I would check for the presence of the dropbear-xinetd package and /etc/xinetd.conf and xinetd.d/ssh
> 
> 

The dropbear-xinetd package was absent while the other items 
above were present. I created a new build with dropbear-xinetd but 
the behavior is the same. 

I used the failsafe mechanism to get telnet access into the boxes and 
tried to pull in a good firmware image into /tmp as described here:

https://archive.org/details/EnterOpenwrtFailsafeModeAndReflashAFirmware

However when dropbear refused to start even manually I discovered 
there is no dropbear executable on the router. 

I compiled this build with :

  CONFIG_DEFAULT_dropbear=y
# CONFIG_PACKAGE_dropbear is not set
CONFIG_PACKAGE_dropbear-xinetd=y
# CONFIG_PACKAGE_dropbearconvert is not set
# CONFIG_PACKAGE_dropbearconvert-xinetd is not set

which was the config for 3.10.44-6 release, as described in 
cerofiles-3.10 github repo, and which has a working ssh. 

Do I need CONFIG_PACKAGE_dropbear even though 3.10.44-6 
seems to get dropbear without including this config ?

In the absence of dropbear  is there a good way to transfer files. 
I couldn't find any file transfer options available in failsafe mode
other than a wget built into busybox. To use this I would 
have to setup my mac as a webserver. 

Ranga


[-- Attachment #2: Type: text/html, Size: 2357 bytes --]

Re: [Cerowrt-devel] Router ssh access unavailable on custom build

[Dave Taht]

it appears the xinetd package was mucked with around may 15th, and
perhaps that has some influence on your problem.

On Mon, Jul 7, 2014 at 5:46 AM, Ranga Krishnan <ranga@eff.org> wrote:
>
> On Jul 6, 2014, at 11:00 AM, Dave Taht <dave.taht@gmail.com> wrote:
>
> I would check for the presence of the dropbear-xinetd package and
> /etc/xinetd.conf and xinetd.d/ssh
>
>
>
> The dropbear-xinetd package was absent while the other items
> above were present. I created a new build with dropbear-xinetd but
> the behavior is the same.

is the xinetd binary present?

> I used the failsafe mechanism to get telnet access into the boxes and
> tried to pull in a good firmware image into /tmp as described here:
>
> https://archive.org/details/EnterOpenwrtFailsafeModeAndReflashAFirmware
>
> However when dropbear refused to start even manually I discovered
> there is no dropbear executable on the router.
>
> I compiled this build with :
>
>   CONFIG_DEFAULT_dropbear=y
> # CONFIG_PACKAGE_dropbear is not set
> CONFIG_PACKAGE_dropbear-xinetd=y
> # CONFIG_PACKAGE_dropbearconvert is not set
> # CONFIG_PACKAGE_dropbearconvert-xinetd is not set
>
> which was the config for 3.10.44-6 release, as described in
> cerofiles-3.10 github repo, and which has a working ssh.
>
> Do I need CONFIG_PACKAGE_dropbear even though 3.10.44-6
> seems to get dropbear without including this config ?

No, if you do that, you get dropbear starting at boot without xinetd.
You CAN try it, but then you have to do some firewalling.

>
> In the absence of dropbear  is there a good way to transfer files.
> I couldn't find any file transfer options available in failsafe mode
> other than a wget built into busybox. To use this I would
> have to setup my mac as a webserver.

I maintain a local fileserver, always, anyway, so it's a good idea.


>
> Ranga
>



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

Re: [Cerowrt-devel] Router ssh access unavailable on custom build

[Dave Taht]

other fallout of the shifting around of everything pre-barrier-breaker
freeze is my automagic update script (pullhead) wasn't doing updates
of the oldpackages repo.

On Wed, Jul 9, 2014 at 3:14 PM, Dave Taht <dave.taht@gmail.com> wrote:
> it appears the xinetd package was mucked with around may 15th, and
> perhaps that has some influence on your problem.
>
> On Mon, Jul 7, 2014 at 5:46 AM, Ranga Krishnan <ranga@eff.org> wrote:
>>
>> On Jul 6, 2014, at 11:00 AM, Dave Taht <dave.taht@gmail.com> wrote:
>>
>> I would check for the presence of the dropbear-xinetd package and
>> /etc/xinetd.conf and xinetd.d/ssh
>>
>>
>>
>> The dropbear-xinetd package was absent while the other items
>> above were present. I created a new build with dropbear-xinetd but
>> the behavior is the same.
>
> is the xinetd binary present?
>
>> I used the failsafe mechanism to get telnet access into the boxes and
>> tried to pull in a good firmware image into /tmp as described here:
>>
>> https://archive.org/details/EnterOpenwrtFailsafeModeAndReflashAFirmware
>>
>> However when dropbear refused to start even manually I discovered
>> there is no dropbear executable on the router.
>>
>> I compiled this build with :
>>
>>   CONFIG_DEFAULT_dropbear=y
>> # CONFIG_PACKAGE_dropbear is not set
>> CONFIG_PACKAGE_dropbear-xinetd=y
>> # CONFIG_PACKAGE_dropbearconvert is not set
>> # CONFIG_PACKAGE_dropbearconvert-xinetd is not set
>>
>> which was the config for 3.10.44-6 release, as described in
>> cerofiles-3.10 github repo, and which has a working ssh.
>>
>> Do I need CONFIG_PACKAGE_dropbear even though 3.10.44-6
>> seems to get dropbear without including this config ?
>
> No, if you do that, you get dropbear starting at boot without xinetd.
> You CAN try it, but then you have to do some firewalling.
>
>>
>> In the absence of dropbear  is there a good way to transfer files.
>> I couldn't find any file transfer options available in failsafe mode
>> other than a wget built into busybox. To use this I would
>> have to setup my mac as a webserver.
>
> I maintain a local fileserver, always, anyway, so it's a good idea.
>
>
>>
>> Ranga
>>
>
>
>
> --
> Dave Täht
>
> NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article