0

Goal: Configure Ubuntu and Firefox to SSH into a remote Asus router and access the remote router's configuration GUI via Firefox.

top from the remote router returns:

PID     PPID USER    STAT   VSZ %VSZ CPU %CPU COMMAND
22984   493  user    S     1132  0.4   0  0.0 dropbear -p 22 -j -k

The remote router is configured with openssh-sftp-server and Merlin-Asus firmware:

ipkg list_installed | grep  ssh

returns:

openssh-sftp-server - 5.9p1-1 - sftp-server only from a FREE version

of the SSH protocol suite of network connectivity tools.

Ubuntu SSH Dynamic Port Forwarding is created with:

ssh -D localhost:3000 user@mydomain.com

Firefox proxy configuration:

enter image description here

The tunnel is tested with http://www.whatismyip.com, however, the test fails to return a webpage. These error messages are observed in the BASH console:

channel 3: open failed: administratively prohibited: 
channel 4: open failed: administratively prohibited: 
channel 5: open failed: administratively prohibited: 
channel 6: open failed: administratively prohibited:

QUESTIONS

  • Is the tunnel correctly configured from the command line?
  • Is the tunnel correctly configured within Firefox?
  • What tests can be performed to confirm the issue?

Diagnostic questions and any actionable guidance to reach the goal is appreciated.

UPDATE: TL\DR see answer below.

https://unix.stackexchange.com/a/569165/182280

gatorback
  • 1,384
  • 23
  • 48

2 Answers2

1

If your objective is to access the router configuration GUI on the same router you are running ssh (dropbear) on, then you are not looking for socks proxy, but for local port forwarding.

Set up the ssh tunnel on the Firefox host (assuming your web UI serves on port 80):

ssh -L 3000:localhost:80 user@myrouter.mydomain.com

and point Firefox to http://localhost:3000.

(Note for better understanding: localhost in above command is relative to your router, i.e. the ssh server forwards to localhost:80 from its local context.)

What this does is open local port 3000 and tunnel it through an established ssh connection to the router and connect it to the service running on port 80 on the router.

EDIT: you have to additionally make sure dropbear runs with the -a option to allow port forwarding. (See dropbear options.) This can be achieved in the web UI as shown in this answer

HTH,

ppenguin

ppenguin
  • 115
  • 1
    Thanks for the reply: I tried invoking ssh -L (local port forwarding) as described above but received the same failure messages in the original post. Have you had success with Ubuntu / Firefox? What can be done to diagnose my error? Thank you – gatorback Feb 22 '20 at 14:19
  • How can I test / verify that port 80 is the proper choice? – gatorback Feb 22 '20 at 14:34
  • @gatorback: if on your LAN (same network as your router) you can login to its web UI with firefox without specifying the port (i.e. http://myrouter), then it's running at port 80. – ppenguin Feb 22 '20 at 14:37
  • @gatorback: just edited answer, hope the -a option to dropbear gets rid of the forwarding errors... – ppenguin Feb 22 '20 at 14:45
  • Your postings & tips have been helpful to make incremental progress to the point where I am now able to access router's GUI – gatorback Feb 22 '20 at 22:42
  • @gatorback: Did the -a switch make the administratively prohibited go away? Does that mean that the goal is achieved? In that case please mark the answer as "answered" and consider to vote up :) Good luck! – ppenguin Feb 23 '20 at 10:47
  • I have published the solution in an answer: https://unix.stackexchange.com/a/569165/182280 – gatorback Feb 23 '20 at 16:53
  • @gatorback: I edited your answer with a remark about public key authentication (which is advisable especially if you can login from the internet!), hope you don't mind ;) – ppenguin Feb 24 '20 at 08:06
0

SSH Dynamic Port Forwarding was correctly configured. To accomplish the goal, the Asus router has a setting that permits SSH port forwarding, which must be enabled:

enter image description here

ppenguin advises: For extra security consider adding/updating an authorized_keys file (usually in /root/.ssh/authorized_keys) containing your public key. After you tested you can login without a password (with your public/private key pair) turn off Allow Password Login.

gatorback
  • 1,384
  • 23
  • 48