Cannot ssh out of NN to another machine on my LAN. Other direction works fine.
Delbert Franz
ddf at sonic.net
Tue Sep 18 13:28:05 EDT 2012
On Sun, 16 Sep 2012 01:07:52 +0200
David Kuehling <dvdkhlng at gmx.de> wrote:
> Hi Delbert,
>
> >>>>> "Delbert" == Delbert Franz <ddf at sonic.net> writes:
> [..]
> > I then did some fiddling with updating the authorized_keys files on
> > both computers but that made no difference. Then, I noticed something
> > that I had overlooked: when I pinged from the NN to my other LAN
> > machines, the IP addresses were wrong. They were all WAN addresses.
> > Then my foggy grey matter recalled: "I have seen this before!" There
> > is a problem with DNS in the /etc/config/network file!
>
> [..]
>
>
> Nice to see that you were able to solve your problems. It still leaves
> me startled as to why it's actually working for you :) You're certainly
> not using the standard NAT setup described in
>
> http://en.qi-hardware.com/wiki/Ethernet_over_USB
>
> Because with NAT you won't be able to SSH into your NanoNote from other
> machines on your LAN.
>
> However, without NAT, your other LAN machines would have to be aware of
> the network having two routers; (1) the internet gateway and (2) the
> machine that the NanoNote is connected to via USB. Or do you somehow
> connect the NN directly to a USB-enabled router?
>
> Just being curious. I would have used a eth0-to-usb0 ethernet bridging
> setup for simplicity, but never heard of anyone here who tried to make
> that work.
>
> cheers,
>
> David
David,
I'm using what Xiangfu Liu presented on the list in response to
problems I had with what may have been the NAT setup you described. I
forget now if the problem was caused by an update on my Debian
desktops or an update to a new image for the NN. In any case I like
what I am using now better. Here is what I have setup:
On the machine to which the NN is connected: (host machine)
Create an executable script with the contents:
#!/bin/sh
ifconfig usb0 192.168.254.100
iptables -A POSTROUTING -t nat -j MASQUERADE -s 192.168.254.0/24
sysctl -w net.ipv4.ip_forward=1
route add -host 192.168.254.101 usb
Notice that the IP addresses are just picked from one of the local
networks set aside for NAT. If these conflict with what you have
already, just pick another range and use those IP's consistently
throughout the following scripts.
On the NN, in /etc/config/network, you should have this:
config interface lan
option ifname usb0
option proto static
option ipaddr 192.168.254.101
option netmask 255.255.255.0
option gateway 192.168.254.100
option 'dns' '208.67.222.222 192.168.1.1'
# option 'dns' '208.67.222.222'
The first of the two DNS IP addresses is a public DNS to access the
Internet. The second is the local DNS for my LAN.
With the NN booted and running, connect it to a USB port on your host
machine. You might see some message about a "gadget" being attached,
depends on how you are running the NN. I am always in console mode.
In fact, I remove gmenu2x from my rootfs:) Then execute the connection
script on the host machine. On the NN restart the network by
executing:
/etc/init.d/network restart
I put that in a script with a short name--involves less typing on the
NN.
You should now be able to ping the NN from the host machine and you
should be able to ping 192.158.254.101 from the host machine. My NN
has the name of "nn" so I put the following line in the /etc/hosts
file on the host machine and on other machines in your LAN:
192.168.254.101 nn
The final script needed is to be run on the other machines in your
LAN:
#!/bin/sh
#Delete old route-ip address may have changed
route del -net 192.168.254.0/24
#Add a route to ac to access nn
route add -net 192.168.254.0 netmask 255.255.255.0 gw ac eth0
Here "ac" is the name of my host machine. One could use a
command-line argument to the script to give the name of the host
machine if you are wont to connect the NN to different machines. Also
your ethernet link may not be "eth0" and that may have to be changed.
However, we are not ready to ssh to anything yet. By default, OpenWRT
uses dropbear for ssh. It is smaller than openssh but as I vaguely
recall, I could not get something to work between dropbear and the
openssh on my other machines. So I used opkg to remove dropbear and
to install openssh-client, openssh-keygen, and openssh-server. I
think the default settings in the config files, which are in /etc/ssh
work out of the box. I went to the effort to generate public-private
key pairs and then set up an authorized_keys file on nearly all my LAN
machines. This is still a work in progress because the NN runs with
the root user and I don't have key pairs generated yet for the root
user on my other machines. However, I reset the NN password to "nn"
so that the password request is not onerous:) There are various sites
on the Internet that discuss how to setup passwordless ssh. I used
http://www.debian.org/devel/passwordlessssh
since I use Debian on all my other machines.
The setup works well. I can ssh from the NN to any machine on my LAN
and from any machine on my LAN to the NN.
I currently make manual changes when I am off my LAN. It is probably
possible to use a well contrived shell script to automate the process,
but that is not high on my list. I just assign some numeric IP
address to the host machine and put that in the /etc/hosts file of the
host machine and in the /etc/hosts file of the NN. Then it is
possible to ssh from the NN to the host machine, even when the host
machine is not on the Internet. When the host machine is connected to
the Internet, say at a wireless access point, then one needs to get
the numeric IP address using the command: "ifconfig". I usually just
"muddle" through and get it working after one or two tries. My time
off my LAN is small, but maybe I can learn enough about shell
scripting to figure out something better:)
Hope this helps someone else.
Delbert
More information about the discussion
mailing list
