SSH remote access to the Keenetic command line

Starting with KeeneticOS 2.12, SSH (Secure Shell) server was added, which allows connecting to the router command line securely. Now we will see how to configure a device for a remote connection to its command line interface (CLI).

To run the SSH server, the 'SSH server' system component must be pre-installed in the Keenetic. You can do this on the 'General system settings' page in the 'Component options' section by clicking on the 'Component options'.

ssh-com-eng.png

Once the component is installed, the SSH server will be turned on automatically. It can be accessed in local interfaces with a private security level. For information on the access levels that determine the security level (the firewall logic), see the article Firewall rules configuration from the command interface.

To allow access from external networks, the SSH server must have a 'public' level of security. Run the commands at the router command line interface:

(config)> ip ssh
Core::Configurator: Done.
(config-ssh)> security-level public
Ssh::Manager: Security level changed to public.


To avoid unwanted hacking attempts by bots, random Black/Grey Hat hackers, and in cases where the standard port is already running SSH server in the OPKG subsystem, it is recommended to change the standard port of the server. The default port on which the server is running is standard port number 22. You can change it to one of the unused numbers (for example, 2022):

(config-ssh)> port 2022
Ssh::Manager: Port changed to 2022.


Now users who have access to the Keenetic command line will be able to reach the external IP address of the device on port 2022 from an SSH client and get access to its command line in a secure encrypted channel.

To save the setting, you need to execute the command:

(config)> system configuration save
Core::ConfigurationSaver: Saving configuration...


Connecting to an SSH server

To connect to your Keenetic via SSH protocol, you can use any terminal program that supports this type of connections. For example, a free client PuTTY.

Download, install and launch the PuTTY terminal client on your computer. In the 'Connection type' field specify the connection type 'SSH'. Enter in the 'Host Name or IP address' field the network name or IP address of the device (local IP when connecting from a home network or public WAN IP when connecting from the Internet), and in the 'Port' field — the port number by which the connection will be established (by default SSH protocol uses port 22, in our example port 2022 is used).

putty01.png

After clicking the 'Open' button, you will be prompted for the login and password to authenticate on the device. Enter the administrator account credentials. After successful entry of the administrator login and password, the router command line will appear.

putty02.png

It is also easy to establish an SSH connection from Linux. For example, to connect an SSH client with the admin username, you should use the command:

[alexander@silverado ~]$ ssh admin@192.168.1.1 -p 2022
Warning: Permanently added '[192.168.1.1]:2022' (ECDSA) to the list of known hosts.
admin@192.168.1.1's password:
X11 forwarding request failed on channel 0
(config)>


If your keys are compromised, the SSH server can generate new keys. This procedure takes place automatically when you install the system component, but can also be started by ip ssh keygen {keygen} command, where instead of {keygen} you should specify the required algorithm — default for example.

(config-ssh)> keygen default
Ssh::Manager: Key generation is in progress...
progress, name = SSH key generation: 0
....
progress, name = SSH key generation: 50
progress, name = SSH key generation: 100


If you have changed the keys on the server, you should clean them up on the client that remembers them automatically. In Linux, you can use the ssh-keygen application with -R key to do this (case is sensitive because -r key is used to print the saved key hash values to the screen):

[alexander@silverado ~]$ ssh-keygen -R '[192.168.1.1]:2022'
# Host [192.168.1.1]:2022 found: line 1
/home/alexander/.ssh/known_hosts updated.
Original contents retained as /home/alexander/.ssh/known_hosts.old

 

TIP: Note
Starting with KeeneticOS 2.11, unprotected telnet sessions of router management via the command line are automatically terminated after 3 minutes of user inactivity. This timeout value can be controlled, but it is not possible to set an infinite duration of the session.

The default timeout of 300 seconds (5 minutes) is set for the SSH connection session. If necessary, this value can be increased. This parameter can be set to 232-1 seconds inclusively.

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.