[OpenWrt-Devel] ssh proxy for proxied nsupdate/dynamic DNS and other things
Hi,
Many people have made the discovery that you can't really run nsupdate
directly from a router due to the huge library dependencies.
I believe my own workaround for this is quite a robust solution and also
has the potential to be used to facilitate other client/server
interaction between an OpenWRT device and some central server.
It is based on the use of ssh public key authentication, with the ssh
server running a script (wrtsrv) with the permissions of user wrt
whenever an incoming connection comes from one of the known ssh keys.
I've added some comments below and would appreciate some feedback:
- is this something that is worth packaging?
- are there other worthwhile use cases that come to mind, apart from
invoking the server-side nsupdate binary?
- do other people feel that using ssh in this way is robust and
appropriate? I've seen a similar pattern in the way gitosis works, and
I thought it was a good fit for OpenWRT.
Regards,
Daniel
On my server (hostname myserver):
useradd -c 'Remote OpenWRT routers' -d /home/wrt -m -s /bin/false -U wrt
rndc-confgen -b 512 -c /home/wrt/wrt.key -k wrtkey -u wrt
On each router:
mkdir /root/.ssh chmod 0700 /root/.ssh
dropbearkey -t rsa -f /root/.ssh/id_rsa -s 4096
ssh -i /root/.ssh/id_rsa wrt@myserver
On my server again, insert the new ssh key:
cat ~/wrt/.ssh/authorized_keys EOF
no-pty,no-X11-forwarding,no-port-forwarding,command=/usr/local/sbin/wrtsrv
ssh-rsa B3Nza...jAg0U= user1@openwrt
EOF
and the scripts:
#!/bin/bash
# this is /usr/local/sbin/wrtsrv
# it is invoked on myserver instead of a shell
# when one of the routers connects with it's
# ssh key
WRT_HOSTNAME=$1
WRT_DOMAIN=wrt.example.net
WRT_FQDN=${WRT_HOSTNAME}.${WRT_DOMAIN}
read WRT_IP
if [ -z $WRT_IP ];
then
echo Invalid IP
exit 1
fi
echo welcome $WRT_IP, please wait while nsupdate runs...
#echo `date` handling $WRT_IP /tmp/wrtsrv.log
nsupdate -k /home/wrt/wrt.key EOF
server my-nameserver.example.net
update delete $WRT_FQDN A
update add $WRT_FQDN 60 A $WRT_IP
send
quit
EOF
exit 0
and these scripts on the router:
#!/bin/bash
# this is /etc/udhcpc.user on the router
DHCP_EVENT=$1
MY_IP=$ip
if [ $DHCP_EVENT = renew -o $DHCP_EVENT = bound ];
then
/etc/do-nsupdate $MY_IP
fi
#!/bin/bash
# this is /etc/ppp/ip-up.d/do_nsupdate
# on the router
MY_IP=$4
/etc/do-nsupdate $MY_IP
#!/bin/sh
# this is /etc/do-nsupdate
# on the router
MY_IP=$1
echo ${MY_IP} | ssh -T -i /root/.ssh/id_rsa wrt@myserver
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] Fix md5 hash for distribute package
Ping On 28/09/2011 21:01, Roberto Riggio wrote: As in the subj. THe current md5 hash for the distribute package is wrong. Signed-off-by: Roberto Riggio roberto.rig...@create-net.org -- Roberto Riggio, Ph.D. CREATE-NET Network Security Solutions for Pervasive Computing Systems (iNSPIRE) Senior Researcher Via alla Cascata 56/D - 38123 Povo Trento (Italy) e-mail: roberto.rig...@create-net.org Tel: (+39) 0461 408400 - interno/extension 708 Fax: (+39) 0461 421157 www.create-net.org/~rriggio The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited according to the Italian Law 196/2003 of the Legislature. If you received this in error, please contact the sender and delete the material from any computer. Le informazioni contenute in questo messaggio di posta elettronica e nei file allegati sono da considerarsi strettamente riservate. Il loro utilizzo e' consentito esclusivamente al destinatario del messaggio, per le finalita' indicate nel messaggio stesso. Qualora riceveste questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla cancellazione del messaggio stesso dal Vostro sistema. Trattenere il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalita' diverse, costituisce comportamento contrario ai principi dettati dal D. Lgs. 196/2003. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] Fix md5 hash for distribute package
2011/9/28 Roberto Riggio roberto.rig...@create-net.org As in the subj. THe current md5 hash for the distribute package is wrong. That's weird, the local file I have has the same hash as in svn. Looking at http://pypi.python.org/packages/source/d/distribute it seems all the files where changed at once. Do you know the reason behind this? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] Restart aiccu when wan reconnects
This changes propperly restarts aiccu when the wan interface is reconnected. This solves the reopened bug #7629. Signed-off-by: Stefan Agner stefan at agner.ch Index: ipv6/aiccu/files/aiccu.hotplug === --- ipv6/aiccu/files/aiccu.hotplug (Revision 28386) +++ ipv6/aiccu/files/aiccu.hotplug (Arbeitskopie) @@ -1,2 +1,3 @@ #!/bin/sh -[ $ACTION = ifup -a $INTERFACE = wan ] /etc/init.d/aiccu enabled /etc/init.d/aiccu start +[ $ACTION = ifdown ] [ $INTERFACE = wan ] /etc/init.d/aiccu enabled /etc/init.d/aiccu stop +[ $ACTION = ifup ] [ $INTERFACE = wan ] /etc/init.d/aiccu enabled /etc/init.d/aiccu start ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] secure_mode config options for radvd
On 10/8/11 11:17 AM, Adam Gensler wrote: All, This is my first try at a patch and also my first attempt at parsing /etc/config files in OpenWRT. If I've goofed something up please let me know. The purpose of this change is to allow users to config radvd to run in unprivileged mode. Per the radvd man page: radvd(8) - Linux man page http://linux.die.net/man/8/radvd -u username, --username username If specified, drops root privileges and changes user ID to username and group ID to the primary group of username. This is recommended for security reasons. You might also need to use -p to point to a file in a username -writable directory (e.g. /var/run/radvd/radvd.pid). This patch can parse three new fields in /etc/config/radvd, under config radvd, specifically: option secure_mode1 option username 'nobody' option group 'nogroup' I think the above is fairly self explanatory. When run with the -u option, radvd spawns two processes, one with root privileges for interface configuration purposes and another, unprivileged process, for everything else. With none of these options configured radvd will operate as it always has. Any suggestions and / or input would be appreciated. As I said, this is my first crack at working with OpenWRT so there's a possibility I did something incorrect. Thanks in advance, Adam Please configure your MUA to send .patch files as text/plain and not application/octet-stream... ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] secure_mode config options for radvd
On 10/8/11 11:17 AM, Adam Gensler wrote: All, This is my first try at a patch and also my first attempt at parsing /etc/config files in OpenWRT. If I've goofed something up please let me know. The purpose of this change is to allow users to config radvd to run in unprivileged mode. Per the radvd man page: radvd(8) - Linux man page http://linux.die.net/man/8/radvd -u username, --username username If specified, drops root privileges and changes user ID to username and group ID to the primary group of username. This is recommended for security reasons. You might also need to use -p to point to a file in a username -writable directory (e.g. /var/run/radvd/radvd.pid). This patch can parse three new fields in /etc/config/radvd, under config radvd, specifically: option secure_mode1 option username 'nobody' option group 'nogroup' I think the above is fairly self explanatory. When run with the -u option, radvd spawns two processes, one with root privileges for interface configuration purposes and another, unprivileged process, for everything else. With none of these options configured radvd will operate as it always has. Any suggestions and / or input would be appreciated. As I said, this is my first crack at working with OpenWRT so there's a possibility I did something incorrect. Thanks in advance, Adam Also, I don't think it's the convention to use UPPERCASE variable names. -Philip ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] secure_mode config options for radvd
Hi Philip, Thanks for taking a look. To address your two comments: 1. I use Mail.app on Mac OS X 10.7 for email. I don't believe it has any attachment options that let me adjust that setting. I will investigate or perhaps use Thunderbird for this mailer. 2. About the UPPERCASE variable names. Normally I wouldn't use them as such, however, I did so to keep my additions inline with the rest of radvd.init. In any case, there's still some more work to be done such that unprivileged radvd plays nice with hotplug. I'm investigating further. Thanks, Adam On Oct 8, 2011, at 3:49 PM, Philip Prindeville wrote: On 10/8/11 11:17 AM, Adam Gensler wrote: All, This is my first try at a patch and also my first attempt at parsing /etc/config files in OpenWRT. If I've goofed something up please let me know. The purpose of this change is to allow users to config radvd to run in unprivileged mode. Per the radvd man page: radvd(8) - Linux man page http://linux.die.net/man/8/radvd -u username, --username username If specified, drops root privileges and changes user ID to username and group ID to the primary group of username. This is recommended for security reasons. You might also need to use -p to point to a file in a username -writable directory (e.g. /var/run/radvd/radvd.pid). This patch can parse three new fields in /etc/config/radvd, under config radvd, specifically: option secure_mode 1 option username 'nobody' option group 'nogroup' I think the above is fairly self explanatory. When run with the -u option, radvd spawns two processes, one with root privileges for interface configuration purposes and another, unprivileged process, for everything else. With none of these options configured radvd will operate as it always has. Any suggestions and / or input would be appreciated. As I said, this is my first crack at working with OpenWRT so there's a possibility I did something incorrect. Thanks in advance, Adam Also, I don't think it's the convention to use UPPERCASE variable names. -Philip ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] no output of printk
I have made a patch to just do a printk(KERN_INFO ... ); in ath9k_tasklet(). shall I use any other KERN_ALERT etc options instead ? But I don't see any output on stdout when I install the image on netgear router. It does not have anything in 'cat /var/log/message' also. Am I missing something ? The patch applied successfully, so I hope there is no need to include kernel/printk.h in the main.c file and recompile the image? Abhinav ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] Update gstreamer
This patch updates the GStreamer package to 0.10.34. Signed-off-by: W. Michael Petullo mike at flyn.org Index: multimedia/gstreamer/Makefile === --- multimedia/gstreamer/Makefile (revision 27088) +++ multimedia/gstreamer/Makefile (working copy) @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gstreamer -PKG_VERSION:=0.10.29 +PKG_VERSION:=0.10.34 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://gstreamer.freedesktop.org/src/gstreamer/ -PKG_MD5SUM:=c92d6bce4fc65fa9d5a3ad35cdd1a466 +PKG_MD5SUM:=e6938af242cd002be9f0b6441e848d83 PKG_FIXUP:=libtool PKG_REMOVE_FILES:=autogen.sh aclocal.m4 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] Update vips
This patch updates the vips package to 7.26.3.
Signed-off-by: W. Michael Petullo mike at flyn.org
Index: libs/vips/patches/001-no_cpp.patch
===
--- libs/vips/patches/001-no_cpp.patch (revision 28379)
+++ libs/vips/patches/001-no_cpp.patch (working copy)
@@ -1,7 +1,7 @@
-diff -u --recursive vips-7.24.1-vanilla/configure.in vips-7.24.1/configure.in
vips-7.24.1-vanilla/configure.in 2011-03-29 22:09:45.465282663 -0500
-+++ vips-7.24.1/configure.in 2011-03-29 22:18:40.786482911 -0500
-@@ -143,7 +143,6 @@
+diff -u --recursive vips-7.26.3-vanilla/configure.in vips-7.26.3/configure.in
+--- vips-7.26.3-vanilla/configure.in 2011-10-07 20:43:26.474844552 -0500
vips-7.26.3/configure.in 2011-10-07 21:00:33.633107256 -0500
+@@ -142,7 +142,6 @@
AC_PROG_AWK
AC_PROG_CC
AC_PROG_CC_STDC
@@ -9,23 +9,77 @@
AC_C_CONST
AC_C_RESTRICT
AC_PROG_RANLIB
-@@ -615,7 +614,6 @@
+@@ -150,45 +149,6 @@
+ AC_PROG_LN_S
+ AM_WITH_DMALLOC
+
+-# vips_PROG_CXX_WORKS
+-# Check whether the C++ compiler works.
+-AC_DEFUN([vips_PROG_CXX_WORKS],
+- [AC_REQUIRE([AC_PROG_CXX])dnl
+- AC_CACHE_CHECK([whether the C++ compiler works],
+- [vips_cv_prog_cxx_works],
+- [AC_LANG_PUSH([C++])
+-AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])],
+- [vips_cv_prog_cxx_works=yes],
+- [vips_cv_prog_cxx_works=no])
+-AC_LANG_POP([C++])])
+-])
+-
+-# option to build without C++
+-# handy for some embedded applications
+-# also, including C++ source causes link problems on some
+-# platforms, so have an option to disable it
+-AC_ARG_ENABLE(cxx,
+- AS_HELP_STRING([--enable-cxx], [build C++ components (default: test)]))
+-
+-if test x$enable_cxx != xno; then
+- vips_PROG_CXX_WORKS
+- if test x$vips_cv_prog_cxx_works = xyes; then
+-AC_DEFINE(ENABLE_CXX,1,[build C++ components])
+-AM_CONDITIONAL(ENABLE_CXX, true)
+-# need -lstdc++ for (eg.) the C++ format loaders
+-# this gets added to vips-7.xx.pc to help mingw and friends link programs
+-# using libvips
+-VIPS_CXX_LIBS=-lstdc++
+-enable_cxx=yes
+- fi
+-fi
+-
+-if test x$enable_cxx != xyes; then
+- AM_CONDITIONAL(ENABLE_CXX, false)
+- VIPS_CXX_LIBS=
+- enable_cxx=no
+-fi
+-
+ # we need a fully expanded version of $libdir
+ # without this we get something like
+ #define VIPS_LIBDIR ${exec_prefix}/lib
+@@ -614,7 +574,6 @@
+ AC_SUBST(VIPS_CFLAGS)
+ AC_SUBST(VIPS_INCLUDES)
+ AC_SUBST(VIPS_LIBS)
+-AC_SUBST(VIPS_CXX_LIBS)
+ AC_SUBST(PACKAGES_USED)
+
+ # you'd think we could have
+@@ -622,7 +581,6 @@
# in AC_OUTPUT, but that seems to break for some combinations of sh/m4
AC_OUTPUT([
- vips-7.24.pc
-- vipsCC-7.24.pc
+ vips-7.26.pc
+- vipsCC-7.26.pc
Makefile
libvips/include/vips/version.h
libvips/include/Makefile
-@@ -624,7 +622,6 @@
- libvips/acquire/Makefile
+@@ -630,7 +588,6 @@
+ libvips/Makefile
libvips/arithmetic/Makefile
libvips/boolean/Makefile
- libvips/cimg/Makefile
libvips/colour/Makefile
libvips/conversion/Makefile
libvips/convolution/Makefile
-@@ -641,9 +638,6 @@
+@@ -647,9 +604,6 @@
libvips/relational/Makefile
libvips/resample/Makefile
libvips/video/Makefile
@@ -33,19 +87,19 @@
- libvipsCC/include/vips/Makefile
- libvipsCC/Makefile
tools/Makefile
- tools/iofuncs/Makefile
- tools/mosaicing/Makefile
-@@ -655,7 +649,6 @@
- tools/scripts/light_correct
- tools/scripts/shrink_width
+ tools/batch_crop
+ tools/batch_image_convert
+@@ -657,7 +611,6 @@
+ tools/light_correct
+ tools/shrink_width
swig/Makefile
- swig/vipsCC/Makefile
swig/python/setup.py
man/Makefile
doc/Makefile
-diff -u --recursive vips-7.24.1-vanilla/libvips/Makefile.am
vips-7.24.1/libvips/Makefile.am
vips-7.24.1-vanilla/libvips/Makefile.am2011-03-29 22:09:45.525280200
-0500
-+++ vips-7.24.1/libvips/Makefile.am2011-03-29 22:16:08.223081415 -0500
+diff -u --recursive vips-7.26.3-vanilla/libvips/Makefile.am
vips-7.26.3/libvips/Makefile.am
+--- vips-7.26.3-vanilla/libvips/Makefile.am2011-10-07 20:43:26.909839013
-0500
vips-7.26.3/libvips/Makefile.am2011-10-07 20:45:25.074274823 -0500
@@ -1,14 +1,3 @@
-# only build in the cimg dir if C++ is enabled
-if ENABLE_CXX
@@ -60,8 +114,8 @@
-
SUBDIRS = \
include \
- acquire \
-@@ -19,7 +8,6 @@
+ arithmetic \
+@@ -18,7 +7,6 @@
conversion \
deprecated \
convolution \
@@ -69,17 +123,22 @@
format \
freq_filt \
histograms_lut \
-@@ -36,9 +24,6 @@
- lib_LTLIBRARIES = libvips.la
+@@ -37,14 +25,6 @@
+ # empty means default to C linking
+ libvips_la_SOURCES =
- libvips_la_SOURCES = dummy.c
+-# if we have C++ components enabled, make sure we link the top-level with c++
+-#
+-# sadly the
Re: [OpenWrt-Devel] how to apply driver patch to the kernel
hi,
your method does not work.
I tried doing this by adding a printk() line to module_exit() in ath9k in
the file init.c
The dmesg does not show any output of the changed line.
It took me a lot of time to figure this out.
Any help please ?
On Thu, Oct 6, 2011 at 4:19 PM, Jonas Gorski jonas.gorski+open...@gmail.com
wrote:
Hi,
On 6 October 2011 20:55, abhinav narain abhinavnarai...@gmail.com wrote:
hi,
This is my first experience with writing a patch/using git.
I need some specific answers to get it working
mac80211 is actually a bit tricky since quilt doesn't work.
I'd recommend cloning the appropriate tag from
https://github.com/mcgrof/compat-wireless, then applying the OpenWrt
patches on top of it (with e.g. git apply - don't forget to commit,
but all as one should be fine).
Then you can create patches you can put into package/mac80211/patches/
(they should come last).
a/compat-wireless-2011-08-10/drivers/net/wireless/ath/ath9k/ath9k.h
b/compat-wireless-2011-08-10/drivers/net/wireless/ath/ath9k/ath9k.h
index c03949e..0b31c10 100644
--- a/compat-wireless-2011-08-10/drivers/net/wireless/ath/ath9k/ath9k.h
+++ b/compat-wireless-2011-08-10/drivers/net/wireless/ath/ath9k/ath9k.h
The base is wrong, it should be a/drivers/net/... . without the
compat-wireless... .
@@ -122,9 +122,14 @@ void ath_descdma_cleanup(struct ath_softc *sc,
struct
ath_descdma *dd,
/***/
My questing is :
0) should index line be present in the patch ?
It doesn't hurt, but it doesn't help either, patch ignores it when
applying them. For a working patch the ---/+++ lines and the changes
are enough, everything else is just fluff.
1) Where should I place this patch file ?
in package/mac80211/patches/ (where all patches are).
2) What are the set of easiest commands to get this patch to be
applied/compile ?
Copy the patch to the location above, do a make
package/mac80211/{clean,compile}
I saw Quilt http://wiki.openwrt.org/doc/devel/patches
The asked to do make package/example/update V=99
Now I don't know what this example should be to use this command ?
Not for mac80211/compat-wireless, so just ignore it ;)
Regards
Jonas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
