puflogh300X74.gif

Polarwave's OpenBSD
Tips and Tricks for Newbies

| SSH & Samba |

| Home | Tips and Tricks | Links | News Feeds | Fun | Contact | Blog (Opens in New Page) |

SSH & Samba

I originally wrote a short entry with links in the site blog. I've done quite a bit of
experimenting with SSH and Samba since in order to see how to tighten things
down on my LAN. My OpenBSD boxes have Samba shares on them available for
the one Windows box I have and both require a password. I don't like cleartext
passwords even on my local area network, so I wanted to learn how I could get
around that. Samba over SSH seemed like a good solution. I found the article
that helped me the most at:

Samba over SSH -- Opening Windows to UNIX safely and reliably
I've tried to shorten things a bit from the original windows loopback adapter
installation in the article above. Here it is:
Now you have completed the Windows part of setup. Also, don't feel constrained to use
the particular IP address listed. You can just as easily use a 192.168.xxx.xxx Class C
network address. Either worked okay for me.

I'm a firm believer in using keys rather than passwords for SSH. So, to get started, first
you should use SSH to generate your public and private keys. I found many links to show
different ways of doing it, but the basics are all covered in the man page. There are varying
opinions, too, of whether or not to assign a password. Many like the passwordless option
since it makes things such as unattended backups using utilities like rsync over ssh very
easy to use. How you choose to do it is up to you. Here's a very basic example of the
passwordless key creation process:
[client ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Ehter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e8:0e:e7:2b:06:e7:9c:2a:1c:f2:91:86:ae:d8:0d:20 root@client
[client ~]# _
Here's the link the example is taken from for you to refer to:
How to Setup Password-less SSH Using Public - Private Keys
If you choose to create passwordless keys, remember to protect them. One good way is:
$ chmod 0600 id_rsa (or id_dsa - whichever type of key you need to use)
Remember that the keys need to be created on both ends of the connection, and the
public keys need to be exchanged and added to your ~/.ssh/authorized_keys file.
After that you should be able to ssh into the remote box without any password.
Here's an example:
$ cd .ssh/ $ scp id_rsa.pub billybob@somebox:/myother_id_rsa.pub
$ ssh billybob@somebox (You'll have to type your password in at this point.
  Repeat keygen process)
$ mv myother_id_rsa.pub .ssh/ && cd .ssh/
$ cat myother_id_rsa.pub >> authorized_keys
$ scp id_rsa.pub billybob@homebox:.ssh/remote_id_rsa.pub
$ exit
$ cat remote_id_rsa.pub >> authorized_keys (Now go ahead and try to ssh back to
the remote account. You should get in without a password)
$ ssh billybob@somebox (If problems. recheck your authorized_keys files)
I have Cygwin installed on my windows box and it has served me well. There are other
options such as Putty which comes highly recommended by most folks. I've used it when
traveling from a friend's or relative's computer to login to my home box. It worked very
well and reliably for me. Still, I find the easiest way for me is from Cygwin's bash shell
prompt. To setup an ssh encrypted tunnel from my windows box to one of my OpenBSD
boxes, from the bash shell prompt, I simply type
$ ssh -f -N -L xxx.xxx.x.xxx:139:localhost:139 username@xxx.xxx.x.xxx sleep 60
hit enter, and the connection is established. The 'sleep 60' gives me time, from the
windows desktop, to click start, run, type in the same IP address I forwarded for my
windows loopback adapter, type in my samba password when the box pops up and hit
enter, and a windows explorer window pops up showing my samba shares on the remote
box. Yes, I still had to type in my samba password, but then again, that was the whole
point of the exercise, to have the password sent over an encrypted tunnel. Since I have
two OpenBSD boxes, I have two windows loopback adapters installed. To forward the
second one, I just repeat the procedure, replacing the pertinent IP addresse, netmask
and the rest of the settings. Once both explorer windows are open, dragging and dropping
files to copy, renaming files and so forth is trivial. In the first link above, it shows you how
to setup the tunnel creation automatically when windows starts. I did finally get around
to doing that after I'd ironed out various wrinkles in my systems. You may choose to do
that or simply do it from a Cygwin bash shell prompt or Putty.

==================================================

Addendum:
Wed Jul 9 16:59:30 CDT 2008

I found after leaving the windows box alone for a while, sometimes for the entire day,
that I no longer had external connectivity. I could still connect with the OpenBSD box,
but I couldn't get any further. I had my browser on my windows box setup to use a proxy
with socks 5 and the connection was going stale on me. So, I added a batch file to be
run every 6 hours from windows scheduler to clean up the network connection.
@echo off
ipconfig /renew (you don't need this if you have a static IP like me)
arp -d *
nbtstat -R
pconfig /flushdns
nbtstat -RR
ipconfig /registerdns
There's a good explanation of all these commands at:

TCP/IP troubleshooting: A structured approach -- Repairing network connections

If you right-click on My Network Places, then right-click on local area connection
and choose repair, it does the same thing as I've shown above. It's just a lot easier to
schedule the batch file. Since I did that, I haven't had any more problems with network
connectivity on the windows box.

Back to Tips and Tricks
Home
Delicious Bookmark this on Delicious

No affiliation between this site and the OpenBSD project exists or is implied.

valid-html401.png