tomazbracic

tomazbracic

Erlang's :ssh and key based Reverse Tunnel

:ssh … killing me softly and slowly :slightly_smiling_face:

Does anybody have a working example for using :ssh to do a (public/private) key based ssh reverse tunnel?

Having problems with :ssh and private key. Wasn’t able to connect. Various strange errors, but probably all due to my misconfigured setup. Didn’t find one yet, that I would be able to connect with private key.

Then I tried SSHex, but wan’t able to create a reverse tunnel on connect. I read somewhere that this is not supported.

Then i read about Librarian, with which I was actually able to at least connect, but then unable to create a reverse tunnel.

I need to do a reverse tunnel on initial connect.

If anybody has a working setup for :ssh I would really appreciate it.

Kind regards,
Tomaz

Marked As Solved

tomazbracic

tomazbracic

Thank you @LostKobrakai !!

I solved this togetherwith my coleage @uhrovat

In order to have this as refence I will try to write this in a way that I wish would have this before.

So the usecase is this. I have a Nerves based devices out in the field, connected over closed LTE network. So I can’t really reach devices from my cloud base service or directly from my dev laptop. Though majority of features is supported/implemented with the use of MQTT calls between device and cloud, there is still a great feeling being able to jump on a device and do some system checks or maintenance. In my case latter as I will be dealing with custom data handling and processin solution.

OPENSSH way (tested without nerves on clasic linux box)

1.) I crated ssh reverse tunnel with this on boxA (like gateway on picture)

ssh -i /home/tomaz/.ssh/nemo/user_ssh_key -nN -R 2222:localhost:22 Auser@192.168.x.130

user_ssh_key is a key on a proxy server, and Auser is a user on sshproxy server

2.) On ssh proxy I only added

3.) On my laptop I did

ssh -i gateway-id_rsa tomaz@192.168.x.130 -p 2222

gateway-id_rsa is a key that resolves against the PKI on gateway, and tomaz is a user on gateway.

With this in place I gain access to the “TERMINAL” shell on my boxA - which kind of simulates a real nerves gateway on picture. I do think this is really importnat for later.

:SSH (Erlang way). - still without real Nerves gateway.

I’ve created a reverse tunnel on linux VM box (not actual Nerves gateway)

:ssh library expects file to be one of -> id_rsa, id_dsa or id_ecdsa. ssh — OTP 29.0.2 (ssh 6.0.1)

I actually had to rename my key to be id_rsa and not some random name even though I tried to point to it

:ok = :ssh.start()

user = ~c"Auser"
userdir = ~c"/home/tomaz/.ssh/nemo"
ssh_option = [{:user, user}, {:silently_accept_hosts, true}, {:user_interaction, false}, {:user_dir, userdir}]

{:ok, conn} = :ssh.connect(String.to_charlist("192.168.x.130"), 22, ssh_option)

:ssh.tcpip_tunnel_from_server(conn, String.to_charlist("192.168.6.130"), 3333, String.to_charlist("localhost"), 22)

And this setup did establish the ssh reverse proxy. I logged everything in /var/log/auth on a sshproxy.

Then on my laptop I did

ssh -i Auser Auser@192.168.x.130 -p 3333

And with that I got access to linux shell (terminal) on the “gateway” linux VM box.

SSH (Erlang way) - NOW ON NERVES DEVICE

Similar approach as previous example but now on actual device.

iex(13)> :ssh.tcpip_tunnel_from_server(conn, String.to_charlist("mydomain"), 3333, String.to_charlist("localhost"), 22)
{:ok, 3334}
iex(14)>

Then from my dev laptop

ssh -i /Users/tomaz/.ssh/nemo/tomaz-id_rsa nerves@192.168.x.130 -p 3333

private key has a public key on a gateway. User is for gateway, and IP is for sshproxy server.

And what I get is wooohooo!!!

Warning: Permanently added '[192.168.x.130]:3333' (ED25519) to the list of known hosts.
Interactive Elixir (1.17.3) - press Ctrl+C to exit (type h() ENTER for help)
████▄▄    ▐███
█▌  ▀▀██▄▄  ▐█
█▌  ▄▄  ▀▀  ▐█   N  E  R  V  E  S
█▌  ▀▀██▄▄  ▐█
███▌    ▀▀████
nemo 0.26.0 (0626c4d3-89d7-5e8d-0584-d8f685366269) arm rpi4
  Serial       : 1000000094278b35
  Uptime       : 2 hours, 44 minutes and 16 seconds
  Clock        : 2024-11-15 12:16:21 UTC
  Temperature  : 29.7°C

  Firmware     : Valid (B)               Applications : 62 started (nemo not started)
  Memory usage : 163 MB (4%)             Part usage   : 493 MB (2%)
  Hostname     : nerves-8b35             Load average : 0.00 0.00 0.00

  eth0         : 192.168.x.163/24, fe80::da3a:ddff:feab:daf2/64

Nerves CLI help: https://hexdocs.pm/nerves/iex-with-nerves.html

Toolshed imported. Run h(Toolshed) for more info.
iex(1)>

currently my gateway is connected with ethernet cable, since my LTE doesn’t have a signal here.

Huge thumbs up to @uhrovat for joining efforts.

Hope this post helps others in the future.

Also Liked

LostKobrakai

LostKobrakai

Take a look at ssh — OTP 29.0.2 (ssh 6.0.1). SSH in erlang is not wrapping openssh, but is a pure erlang implemenation. Hence you cannot easily translate openssh cli parameters to erlang, you need to translate to how those same features are implemented on erlangs ssh module.

Where Next?

Popular in Questions Top

_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
myronmarston
The Elixir Typespec docs show the following syntax for keyword lists in typespecs: # ... | [key: type] # keyword lists...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
nobody
How to bind a phoenix app to a specific ip address? could not find anything about that, nowhere, unfortunately, but for me this is quite...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New

Other popular topics Top

lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41539 114
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 30877 112
New
msaraiva
Surface is an experimental library built on top of Phoenix LiveView and its new LiveComponent API that aims to provide a more declarative...
564 43622 214
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

We're in Beta

About us Mission Statement