Cannot ssh out of NN to another machine on my LAN. Other direction works fine.

Delbert Franz ddf at sonic.net
Tue Sep 18 13:28:05 EDT 2012


On Sun, 16 Sep 2012 01:07:52 +0200
David Kuehling <dvdkhlng at gmx.de> wrote:

> Hi Delbert,
> 
> >>>>> "Delbert" == Delbert Franz <ddf at sonic.net> writes:
> [..] 
> > I then did some fiddling with updating the authorized_keys files on
> > both computers but that made no difference.  Then, I noticed something
> > that I had overlooked: when I pinged from the NN to my other LAN
> > machines, the IP addresses were wrong.  They were all WAN addresses.
> > Then my foggy grey matter recalled: "I have seen this before!" There
> > is a problem with DNS in the /etc/config/network file!
> 
> [..]
>
> 
> Nice to see that you were able to solve your problems.  It still leaves
> me startled as to why it's actually working for you :)  You're certainly
> not using the standard NAT setup described in 
> 
>   http://en.qi-hardware.com/wiki/Ethernet_over_USB
> 
> Because with NAT you won't be able to SSH into your NanoNote from other
> machines on your LAN.
> 
> However, without NAT, your other LAN machines would have to be aware of
> the network having two routers; (1) the internet gateway and (2) the
> machine that the NanoNote is connected to via USB.  Or do you somehow
> connect the NN directly to a USB-enabled router?  
> 
> Just being curious.  I would have used a eth0-to-usb0 ethernet bridging
> setup for simplicity, but never heard of anyone here who tried to make
> that work.
> 
> cheers,
> 
> David

David, 

I'm using what Xiangfu Liu presented on the list in response to 
problems I had with what may have been the NAT setup you described.  I 
forget now if the problem was caused by an update on my Debian 
desktops or an update to a new image for the NN.  In any case I like 
what I am using now better.  Here is what I have setup: 

On the machine to which the NN is connected: (host machine)

Create an executable script with the contents:

#!/bin/sh
ifconfig  usb0 192.168.254.100
iptables -A POSTROUTING -t nat -j MASQUERADE -s 192.168.254.0/24
sysctl -w net.ipv4.ip_forward=1
route add -host 192.168.254.101 usb


Notice that the IP addresses are just picked from one of the local 
networks set aside for NAT. If these conflict with what you have
already, just pick another range and use those IP's consistently
throughout the following scripts. 

On the NN, in /etc/config/network, you should have this:

config interface lan
	option ifname	usb0
	option proto	static
	option ipaddr	192.168.254.101
	option netmask	255.255.255.0
	option gateway  192.168.254.100
	option 'dns'      '208.67.222.222  192.168.1.1'
#	option 'dns'      '208.67.222.222'


The first of the two DNS IP addresses is a public DNS to access the 
Internet.  The second is the local DNS for my LAN.
 

With the NN booted and running, connect it to a USB port on your host 
machine.  You might see some message about a "gadget" being attached, 
depends on how you are running the NN.  I am always in console mode.  
In fact, I remove gmenu2x from my rootfs:) Then execute the connection 
script on the host machine.  On the NN restart the network by 
executing: 

/etc/init.d/network restart

I put that in a script with a short name--involves less typing on the 
NN.  

You should now be able to ping the NN from the host machine and you 
should be able to ping 192.158.254.101 from the host machine.  My NN 
has the name of "nn" so I put the following line in the /etc/hosts 
file on the host machine and on other machines in your LAN: 

192.168.254.101  nn


The final script needed is to be run on the other machines in your 
LAN: 

#!/bin/sh
#Delete old route-ip address may have changed
route del -net 192.168.254.0/24
#Add a route to ac to access nn
route add -net 192.168.254.0 netmask 255.255.255.0 gw ac eth0


Here "ac" is the name of my host machine.  One could use a 
command-line argument to the script to give the name of the host 
machine if you are wont to connect the NN to different machines.  Also 
your ethernet link may not be "eth0" and that may have to be changed.  

However, we are not ready to ssh to anything yet.  By default, OpenWRT 
uses dropbear for ssh.  It is smaller than openssh but as I vaguely 
recall, I could not get something to work between dropbear and the 
openssh on my other machines.  So I used opkg to remove dropbear and 
to install openssh-client, openssh-keygen, and openssh-server.  I 
think the default settings in the config files, which are in /etc/ssh 
work out of the box.  I went to the effort to generate public-private 
key pairs and then set up an authorized_keys file on nearly all my LAN 
machines.  This is still a work in progress because the NN runs with 
the root user and I don't have key pairs generated yet for the root 
user on my other machines.  However, I reset the NN password to "nn" 
so that the password request is not onerous:) There are various sites 
on the Internet that discuss how to setup passwordless ssh.  I used 

http://www.debian.org/devel/passwordlessssh

since I use Debian on all my other machines.  


The setup works well.  I can ssh from the NN to any machine on my LAN 
and from any machine on my LAN to the NN.  

I currently make manual changes when I am off my LAN.  It is probably 
possible to use a well contrived shell script to automate the process, 
but that is not high on my list.  I just assign some numeric IP 
address to the host machine and put that in the /etc/hosts file of the 
host machine and in the /etc/hosts file of the NN.  Then it is 
possible to ssh from the NN to the host machine, even when the host 
machine is not on the Internet.  When the host machine is connected to 
the Internet, say at a wireless access point, then one needs to get 
the numeric IP address using the command: "ifconfig".  I usually just 
"muddle" through and get it working after one or two tries.  My time 
off my LAN is small, but maybe I can learn enough about shell 
scripting to figure out something better:) 

Hope this helps someone else.

               Delbert








More information about the discussion mailing list


interactive