Hi Folks, I've got it working!
The Gemini 4.70 version of Dropbear is indeed compiled without support for port forwarding (tunneling) in order to save space in a flash image. This makes it of little use for remote access to the Dreambox. However, I have found the attached copy of Dropbear on another forum. This one is slightly larger (173.5KB v 145.4K
than the version in Gemini 4.70 but is OK in Multi-boot where there is plenty of space. This copy of 'dropbear' has tunneling enabled.
NB. This has been tested only on DM7000S, Enigma 1, Gemini 4.70 in FlashWizard Multi-boot.
1. Download the attached file 'dropbearmulti_051.zip' to a convenient folder on your laptop/pc.
2. Un-zip/extract the file 'dropbearmulti' to the same folder.
3. If you wish to retain your existing copy of 'dropbearmulti' as a safeguard, then: rename Dreambox file /sbin/dropbearmulti, to (for instance) 'dropbearmulti.old'.
4. Now, FTP the new copy of 'dropbearmulti' (from the folder on your laptop/pc) to Dreambox folder /sbin.
5. Next: chmod 755 /sbin/dropbearmulti
For remote (internet) access it will be necessary to Forward one port for Incoming traffic on your router.
The default SSH port is 22 but I recommend using something less obvious like 2222, the more obscure the better. Not that the 'attackers' are likely to access anything through SSH but it reduces the 'traffic' (login attempts) on your router and much reduces the size of the router log! I know, I've seen it all on my router log! I've even had Chinese Web IP's logged-in to my Dreambox on straight, non-SSH FTP! So I know that I need SSH!
Set the forwarded port to be handled by the Dreambox LAN IP (in my case 192.168.0.24).
It is necessary to edit the Gemini 4.70 Dropbear start script to:
a. Enable use of the obscure port.
b. Disable password login so that only rsakey (secure) login will be accepted.
6. Using your FTP program (or otherwise) edit the Dreambox file /var/script/dropbear_script.sh
7. Change this part:-
Code:
if [ -r /var/etc/dropbear/dropbear_rsa_host_key ] || [ -r /var/etc/dropbear/dropbear_dss_host_key ]; then
/sbin/dropbear
fi
To this:-
Code:
if [ -r /var/etc/dropbear/dropbear_rsa_host_key ] || [ -r /var/etc/dropbear/dropbear_dss_host_key ]; then
/sbin/dropbear -s -g -p 2222
fi
Where 2222 is your chosen obscure port number (max 65535).
8. Go to TV connected to Dreambox and press Blue Button on DB Remote, for Gemini 4.70 options.
9. Select option 5. Services / Daemons.
10. Scroll down to 'Dropbear (SSH)'.
11. Press OK.
12. Status should change to 'Running' and Red 'virtual' LED changes to Green.
The next part has only been tried using OpenSSH on an Asus Eee PC 900 running default Xandros Linux (desktop mode).
However, Windoze users will probably manage the next part quite easily using PuTTY.
Other Linux distros will have OpenSSH (or similar) installed by default like the Eee PC.
I will show the commands as typed at a laptop/PC Linux Console prompt.
Locate the Linux hidden folder /.ssh (in the Eee PC this is at /home/user/.ssh) and use this in the cd command.
13. Create the secure key files (rsakey - (Private key file) & rsakey.pub (Public key file).
Code:
cd /home/user/.ssh
ssh-keygen -f rsakey -t rsa -b 2048
This will prompt for a 'pass phrase' but none is necessary, just press Enter.
The two key files will now be in the .ssh folder.
The Dreambox should also have a .ssh folder located at /var/.ssh.
14. FTP the file rsakey.pub to Dreambox folder /var/.ssh.
15. Rename the file in the Dreambox /var/.ssh folder from: rsakey.pub - to: authorized_keys
16. chmod 611 /var/.ssh/authorized_keys
I used my FTP program (gFTP) for all three above operations.
Note the USAish spelling of 'authorized_keys'.
Item 16. is also important and the secure SSH session cannot be established with 666 or 644 etc.
We are now ready to launch an SSH secure session between laptop/PC and Dreambox. I have incorporated the following into menu items in the Asus Program Launcher to make it easy for repeated use. I have tried direct port for port access through SSH but it does not work on the Eee PC. However it is easy to use higher number ports on the laptop/PC and have Dropbear/SSH translate them to the correct port on the Dreambox at the other end of the tunnel.
17. To launch the SSH secure session between laptop/PC and Dreambox:
Code:
ssh -i /home/user/.ssh/rsakey -p 2222 -L 7021:192.168.0.24:21 -L 7080:localhost:80 root@dreambox_dyndns
Where:
ssh = the SSH client program
-i = use inetd
/home/user/.ssh/rsakey = send key for establishing session
-p 2222 = use port 2222 to establish the SSH session
-L 7021:192.168.0.24:21 = use Local port 7021 to establish an FTP session with remote LAN IP 192.168.0.24 on port 21
-L 7080:localhost:80 = use Local port 7080 to establish an http session with remote 'localhost' on port 80
root@dreambox_dyndns = the Dreambox user_id (root) and either static Web IP or DynDNS Domain Name.
NB. In the above 192.168.0.24 and 'localhost' both refer to the Dreambox and are interchangeable.
After a short delay the session should be established and a root@dreambox prompt displayed.
Leave this console window open but it may be minimised.
18. To launch an http session through the SSH tunnel, start Firefox and in the URL bar type:
and press Enter.
NB. Here 'localhost refers to the laptop/PC communicating with the Dreambox.
Unless you have declared 'localhost' (in 17.) as a trusted site to the Dreambox then the Login panel will appear.
19. Enter User: root and your Password: Whateveritis
Press Enter and we get an Enigma Webif via an SSH secure session.
20. I have not bothered with a Telnet session as the SSH session itself serves this purpose and Dreambox Console commands may be typed in the Console window established in 17.
What does not work (yet!)!
OK....Clicking the APID in the Enigma Webif does not establish an Audio stream as it would directly but I'll work on that.
Also, I have not yet been able to establish a gFTP session through SSH but again I'm working on it.
I now have only the SSH port (2222 in this example) open and since closing the other ports and moving SSH from 22 to something higher there have been no 'alien' attempts at accessing anything on my network....yipee! Previously the bots would be attempting Telnet, FTP &/or http login every 3 seconds!!
Added bonus:
Now that it's secure, if I add an extra item to the line in 17. above, as follows:
and then in URL bar of Firefox type:
I get the Log-in screen for my router, can log-in and change router settings, open/close ports etc, remotely and SSH securely!
Sorry it's so long but hope it helps someone, good luck.
Best wishes, John.