Monday, September 5, 2016

AutoSSH on Odriod XU4 running Kali Linux 2

In my last blog, SSH into Kali 2.0 on ARM (Odroid, Banana Pi, etc), I configured SSH with RSA public/private keys so that I could securely connect the Odroid with certificates instead of a username and password.

In this blog I am going to install autossh and setup the Odriod to automatically create an SSH tunnel to my Digital Ocean CentOS virtual server on boot. Why would you want to do this? Sometimes you want to leave the Odriod at a site and access it later. Having a tunnel that automatically comes up on boot and reconnects if the tunnel drops means you can always log in.

Install autoSSH

AutoSSH is in the Kali repository so no repositories need to be added.

root@kali:~# apt-get install autossh ssh

This will install autossh and the latest version of the SSH client.

Generate a new set of RSA keys

These keys will be created WITHOUT a pass phrase. We can't have a pass phrase on this set of keys because the Odroid needs to be able to automatically connect without any user intervention.

root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/nopwd
Enter passphrase (empty for no passphrase): LEAVE This Blank
Enter same passphrase again:
Your identification has been saved in /root/.ssh/nopwd.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
SHA256:7ZmIPa2zD0YMtkvBpm9/juu5mjL98nrpG8nGurwmWFY root@kali

Review the keys

root@kali:~# ls ~/.ssh
authorized_keys  id_rsa  known_hosts  nopwd

root@kali:~/.ssh# cat
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqsWLWXwoafVWsXAyNtZsnhYzn6PO2t5Ryr0U1JfQzVYwbmLB/MkUXTP57bwSGZ7XiljrsayrJwQny08Wxj11WYl74un1lsvBk+75HNiHC76F9iIF0jN12N0OgybdKymWGEIV5u9q7oqAw41ZXJDqgMA+ZglvGeyH9Ge2OWHyzSKSlGLl4bV51ww/FH0ZtPxXFKgoRSmQ8C7AP7IIFRLZJXJm1fSMdC+TpvUx68baCGo91PwZcdHY9dPnKaYZxcUlzRc0ou4pph3kr+b9beZsrJh/DGlrQC1uRy4HljKOGH4Bq1daf5GkrZQZNvfrXofT4WVyYWgzJ6u7Cs42/29tP root@kali

Copy the new keys to the Digital Ocean VPS

root@kali:~# ssh-copy-id -i .ssh/ -p 22 mhubbard@VPS-IP-Address
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Enter passphrase for key '/root/.ssh/id_rsa':

Number of key(s) added: 1

Test that the key was copied

Note that we have to use the SSH parameter -i to explicitly use our now password key. This is because I have disabled passwords on my VPS.

root@kali:~# ssh -p 22 -i /root/.ssh/nopwd  mhubbard@VPS-IP-Address
Last login: Mon Sep  5 11:12:07 2016 from

This is a private system. Unless you have explicit
permission from Michael Hubbard logout immediately!

AutoSSH parameters

-M 10984 - autoSSH monitoring port. Used to keep the connection up
-o "PubkeyAuthentication=yes" Authenticate with SSH Keys instead of passwords.
-o "PasswordAuthentication=no" Explicitly disable password authentication
-i /root/.ssh/nopwd Explicitly use our no password key
-R 2223:localhost:22: reverse tunnel. forward all traffic on port 2223 on the VPS to port 22 on the Odriod.

Run autossh to connect to the Digital Ocean VPS

root@kali:~/.ssh# autossh -M 10984 -o "PubkeyAuthentication=yes" -o "PasswordAuthentication=no" -i /root/.ssh/nopwd -R 2223:localhost:22 mhubbard@ -p 22
Last login: Sun Sep  4 21:52:16 2016 from

This is a private system. Unless you have explicit
permission from Michael Hubbard logout immediately!

Enable the tunnel on boot

These steps come straight from the "Persistent Reverse (NAT Bypassing) SSH tunnel" site listed in the references. It was the piece that I  didn't know how to do and the blog was excellent.

Here is a screen shot of my /etc/rc.local file

Persistent reverse (NAT bypassing) SSH tunnel access with autossh - This is a great site for system admins. I am really glad I found it.
autossh – Automatically restart SSH sessions and tunnels
Bypassing corporate firewall with reverse ssh port forwarding