This page allows you to decide if remote SSH access is available on your IPCop or not. By placing a checkmark in the box you will activate remote SSH access. It is also possible to configure several SSH daemon parameters from this web page. The SSH option is disabled by default and we would advise enabling it only as needed and then disabling it afterwards.
Similar to the HTTPS port for the IPCop GUI being switched to port 8443, the SSH port for IPCop SSH access is switched to 8022. If you are using a GUI based application to access your IPCop, remember to specify port 8022.
A command line utility setreservedports is available to allow Administrators to change the secure port. Refer to the section on setreservedports for details.
If you are using the ssh, scp or sftp commands, the syntax for specifying non-standard ports is different for each command, even though they are related. Assuming your IPCop is at IP address 192.168.254.1, the commands would be:
ssh -p 8022 firstname.lastname@example.org
scp -P 8022 some/file email@example.com:
scp -P 8022 firstname.lastname@example.org:/path/to/some/file path/to/local/copy
sftp -o port=8022 email@example.com
Use your desktop machine's man pages to get a more complete explanation of these commands.
The following SSH options are available from the web page:
Checking this box enables SSH. Unless you use external access, SSH will only be available from the GREEN network. With SSH enabled it possible for anyone with the IPCop root password to log into your firewall at the command prompt.
Checking this box enables support of SSH version 1 clients. Use of this option is strongly discouraged. There are known vulnerabilities with SSH version 1. Use this option only for temporary access, if you only have SSH version 1 clients and there is no way to upgrade to SSH version 2. Most, if not all, of the current SSH clients support version 2. Upgrade your clients if at all possible.
Checking this box, allows you to create SSH encrypted tunnels between machines inside your firewall and external users.
What use is this when IPCop already has a VPN?
You are on the road and something goes wrong with one of your servers. You haven't set up a road warrior VPN connection. If you know your IPCop root password you can use SSH port forwarding to get through your firewall and get access to a server on one of your protected networks. These next few paragraphs will discuss how to do this, assuming you have a Telnet server running on an internal computer at 10.0.0.20. It also assumes your remote machine is a Linux machine. The putty SSH command on Windows has the same capabilities, but they are accessed via dialog boxes. You may already have done one or more of the first two steps.
Enable or have someone else enable external access for port 8443, the HTTPS port.
Use the IPCop web pages to enable SSH access and external access for port 8022.
Create an SSH tunnel between your remote machine and the internal server running an SSH daemon by issuing the command:
ssh -p 8022 -N -f -L 12345:10.0.0.20:23 root@ipcop
IPCop listens for SSH on port 8022, not the normal 22.
in conjunction with -f, tells SSH to run in the background
If you use this option, you will have to remember to use kill to
terminate the SSH process.
As an alternative, you may want to add the command
to the end of the command line, and not use the -N option.
If you do this the SSH invoked by the ssh command will terminate
after 100 seconds, but the telnet session and its tunnel will not
option to run SSH in the background.
tells SSH to build a port forwarding tunnel as specified by the next parameters.
The local port that will be used to tunnel to the remote service. This should be greater than 1024, otherwise you must be running as root to bind to well known ports.
This is the GREEN address of the remote server.
This specifies the remote port number to be used, Telnet.
Finally, this specifies you will be using your IPCop firewall as the port forwarding agent. You need a user ID to log in as, and the only one available on IPCop is root. You will be prompted for IPCop's root password.
Finally, log into the remote Telnet using the tunnel.
telnet localhost 12345
localhost is the machine you are running on. The loopback address 127.0.0.1 is defined as localhost. 12345 is the local tunnel port specified on the previous command.
There is a tutorial on SSH port forwarding at Dev Shed.
Allows users to log into IPCop using the root password. If you decide to turn this off, set up your SSH key files first, and then verify you can log in using your key files.
By checking this box, public key authentication can be used by SSH. This is the preferred method of securing IPCop using SSH. This article has a discussion about using SSH-keygen to generate RSA keys and how to use them with SSH.
This section lists the host key fingerprints used by SSH on IPCop to verify you are opening a session with the right machine. The first time a session is opened, one of the fingerprints will be displayed by SSH and you will be asked to verify it's correct. If you wish, you can verify it by looking at this web page.