Hi,
Many people have made the discovery that you can't really run nsupdate
directly from a router due to the huge library dependencies.
I believe my own workaround for this is quite a robust solution and also
has the potential to be used to facilitate other client/server
interaction between an OpenWRT device and some central server.
It is based on the use of ssh public key authentication, with the ssh
server running a script (wrtsrv) with the permissions of user wrt
whenever an incoming connection comes from one of the known ssh keys.
I've added some comments below and would appreciate some feedback:
- is this something that is worth packaging?
- are there other worthwhile use cases that come to mind, apart from
invoking the server-side nsupdate binary?
- do other people feel that using ssh in this way is robust and
appropriate? I've seen a similar pattern in the way gitosis works, and
I thought it was a good fit for OpenWRT.
Regards,
Daniel
On my server (hostname myserver):
useradd -c 'Remote OpenWRT routers' -d /home/wrt -m -s /bin/false -U wrt
rndc-confgen -b 512 -c /home/wrt/wrt.key -k wrtkey -u wrt
On each router:
mkdir /root/.ssh && chmod 0700 /root/.ssh
dropbearkey -t rsa -f /root/.ssh/id_rsa -s 4096
ssh -i /root/.ssh/id_rsa wrt@myserver
On my server again, insert the new ssh key:
cat >> ~/wrt/.ssh/authorized_keys << EOF
no-pty,no-X11-forwarding,no-port-forwarding,command="/usr/local/sbin/wrtsrv"
ssh-rsa AAAAB3Nza.......jAg0U= user1@openwrt
EOF
and the scripts:
#!/bin/bash
# this is /usr/local/sbin/wrtsrv
# it is invoked on myserver instead of a shell
# when one of the routers connects with it's
# ssh key
WRT_HOSTNAME="$1"
WRT_DOMAIN="wrt.example.net"
WRT_FQDN="${WRT_HOSTNAME}.${WRT_DOMAIN}"
read WRT_IP
if [ -z "$WRT_IP" ];
then
echo "Invalid IP"
exit 1
fi
echo "welcome $WRT_IP, please wait while nsupdate runs..."
#echo "`date` handling $WRT_IP" >> /tmp/wrtsrv.log
nsupdate -k /home/wrt/wrt.key << EOF
server my-nameserver.example.net
update delete $WRT_FQDN A
update add $WRT_FQDN 60 A $WRT_IP
send
quit
EOF
exit 0
and these scripts on the router:
#!/bin/bash
# this is /etc/udhcpc.user on the router
DHCP_EVENT=$1
MY_IP="$ip"
if [ "$DHCP_EVENT" = "renew" -o "$DHCP_EVENT" = "bound" ];
then
/etc/do-nsupdate "$MY_IP"
fi
#!/bin/bash
# this is /etc/ppp/ip-up.d/do_nsupdate
# on the router
MY_IP="$4"
/etc/do-nsupdate "$MY_IP"
#!/bin/sh
# this is /etc/do-nsupdate
# on the router
MY_IP="$1"
echo "${MY_IP}" | ssh -T -i /root/.ssh/id_rsa wrt@myserver
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
