Description
In this article, we explain how to encapsule the LuCI HTTP access by SSH .
Configuration
SSH Tunnel
By default, the LuCI web admin is available only on HTTP protocol, listen all interfaces, and everywhere.
One way to protect is to redirect the web flow to the local interface into an SSH tunnel.
After your SSH connection at your OpenWRT router:
-
First, on OpenWRT, you need to reconfigure the uhttpd webserver; edit the file configuration
/etc/config/uhttpd:- comment the both lines, by adding the
#symbol before:list listen_http 0.0.0.0:80andlist listen_https 0.0.0.0:443 - add:
list listen_http 127.0.0.1:80(and for IPv6:list listen_http [::1]:80) - restart the web service:
/etc/init.d/uhttpd restart - and, check that the web service only listens to port 80 on the local interface:
$ netstat -ant | grep -E ":80"tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTENtcp 0 0 ::1:80 :::* LISTEN
- comment the both lines, by adding the
-
Next, the command to redirect on SSH is:
ssh -L 127.0.0.1:8080:127.0.0.1:80 -p 22 id@address-ipwhere:-p 22: ssh number portid: your id, (see: OpenWRT: sudo ).address-ip: IPv4 address, on your LAN, in your OpenWRT router.
See this example:
File: ~/.ssh/config
|
|
$ ssh luciweb
And, on your web browser: localhost:8080
Voilà !
Shell
- The file config:
/etc/config/dropbear - the dropbear service:
/etc/init.d/dropbear.
Troubleshooting
Error: no matching cipher found. Their offer: aes128-ctr,aes256-ctr
The dropbear SSH server is not able to handle strong encryptions other than those given in the error message.
Add to your SSH client configuration: Ciphers aes256-ctr
Error: no matching host key type found. Their offer: ssh-rsa
The dropbear SSH server is not able to handle host key types other than those given in the error message.
Add to your SSH client configuration: HostKeyAlgorithms ssh-rsa
Error: no matching MAC found. Their offer: hmac-sha1,hmac-sha2-256
The dropbear SSH server is not able to handle MAC
other than those given in the error message.
Add to your SSH client configuration: MACs hmac-sha2-256