Thursday, November 25, 2010

remote access without SSH

As an exercise, I wanted to have authenticated and encrypted shell access without SSH. Shellinabox [1] permits anyone to connect and it does not authenticate the client. Instead, I chose to use stunnel and telnet on Fedora 14 and it worked like a charm. Here are some notes.

[1]
http://code.google.com/p/shellinabox/

Install server software.



$ su -
# yum install openssl-perl stunnel telnet-server


Use stunnel to wrap telnet service.



# vi /etc/xinetd.d/telnet
:%s,\(disable.*=\) yes,\1 no,
:%s,flags.*,& NAMEINARGS,
:%s,\(server.*=\) .*,\1 /usr/bin/stunnel ,
o
server_args = stunnel /etc/stunnel/in.telnetd.conf
:wq
# vi /etc/stunnel/in.telnetd.conf
i
exec = /usr/sbin/in.telnetd
execargs = in.telnetd
CAfile = /etc/pki/CA/cacert.pem
CApath = /etc/stunnel/authorized_certs
cert = /etc/stunnel/in.telnetd.crt
key = /etc/stunnel/in.telnetd.key
verify = 3
ciphers = ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
sslVersion = TLSv1
:wq
# service xinetd restart


Create a new SSL certificate authority to sign SSL certificates.



# man CA.pl
Use common sense when responding to CA.pl prompts.
# /etc/pki/tls/misc/CA.pl -newca
At "CA certificate filename (or enter to create)", Press Enter.


Create an SSL certificate and key for the telnet service.



# /etc/pki/tls/misc/CA.pl -newreq-nodes
# /etc/pki/tls/misc/CA.pl -signreq
# rm -f newreq.pem
# mv newcert.pem /etc/stunnel/in.telnetd.crt
# mv newkey.pem /etc/stunnel/in.telnetd.key
# chmod og-rwx /etc/stunnel/in.telnetd.key
# mkdir /etc/stunnel/authorized_certs
# restorecon -R /etc/stunnel


Create an SSL certificate and key for the client.



# /etc/pki/tls/misc/CA.pl -newreq-nodes
# /etc/pki/tls/misc/CA.pl -signreq
# rm -f newreq.pem
# cp newcert.pem /etc/stunnel/authorized_certs/telnet.pem
# c_rehash /etc/stunnel/authorized_certs


Create stunnel configuration for the client.



# mkdir .stunnel
# cp /etc/pki/CA/cacert.pem .stunnel/
# cp /etc/stunnel/in.telnetd.crt .stunnel/in.telnetd.pem
# c_rehash .stunnel
# mv newcert.pem .stunnel/telnet.crt
# mv newkey.pem .stunnel/telnet.key
$ vi .stunnel/client.conf
i
client = yes
foreground = yes
output = .stunnel/client.log
pid =

[telnet]
accept = localhost:23
connect = servername:23
CAfile = .stunnel/cacert.pem
CApath = .stunnel
cert = .stunnel/telnet.crt
key = .stunnel/telnet.key
verify = 3
ciphers = ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
sslVersion = TLSv1
:wq
# zip -r keys.zip .stunnel
# rm -fr .stunnel
# mv keys.zip /media/FLASHDRIVE/
# umount /media/FLASHDRIVE/
# exit


Copy SSL certificate, key, and stunnel configuration to client machine.



$ cd
$ rm -fr .stunnel
$ unzip /media/FLASHDRIVE/keys.zip
$ rm -f /media/FLASHDRIVE/keys.zip
$ chmod og-rwx .stunnel/telnet.key


Run stunnel to forward telnet from client to server.



$ stunnel .stunnel/client.conf


In another terminal, telnet to the stunnel listener.



$ telnet localhost 23
Posted by at 5:06 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)