1.4. Permanent Backdoor into a Skolelinux/Debian-edu Machine with a SSH Tunnel

There are places where the one in charge of the network is not you, and where this someone who is in charge of the network has blocked incoming SSH connections. If we could login to our server from anywhere, then our life as administrator would be very comfortable indeed. To overcome such showstoppers in the network, we have included in Skolelinux/Debian-edu a script, that sets up an SSH tunnel, similar to the one in Section 1.3, but with an added feature; no need for a helper on the other side, the script handles this for us. This script is located in the package debian-edu-config and once this package is installed, the script is found in /etc/init.d/open-backdoor. This script needs some information from you to run correctly:

RPORT=this is the port that you will be using on the remote machine that you use.
RHOST=this is the DNS name, or IP number to the remote machine that you use.  
RUSER=this is the username on the remote machine that you use.
If we take the values from Section 1.3, the script will look like this:


When you have supplied the necessary parameters RPORT, RHOST and RUSER, you need to setup and configure the necessary SSH keys for the script, so that the script can setup the SSH tunnel automatically for you, without the intervention by a helping hand in Section 1.3. You must login as the user root on the machine where the backdoor-script is running; this can be a server, workstation or thin client server- your choice. Then you must run the command

ssh-keygen -t dsa

tjener:~# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
81:12:31:b9:04:1c:d0:da:23:1a:72:56:38:87:12:a5 root@tjener.intern
When asked for a passphrase, just leave that empty and when asked for file to save key on just press Enter accepting the default. After you have generated the SSH keys, you must transfer the public part of this key to the machine on the outside, and on this machine place it in the file .ssh/authorized_keys. Make sure you do this in a safe way, not via a Hotmail account. The best would be to use the SSH equivalent scp. You achieve this with the commands from the machine with the backdoor-script running, where you just generated the SSH keys, issue the command

ssh-copy-id -i /root/.ssh/id_dsa.pub RUSER@RHOST

Now, you should be able to start the backdoor script with the command /etc/init.d/open-backdoor start , and with the command

ssh -p RPORT RUSER@localhost

you should be able to login from the remote machine to your Skolelinux/Debian-edu machine, very comfortably.


Now is definitely the time to brush up your knowledge of scp, man scp or write man:scp in the address field in Konqueror.

Warning(Man-in-the-Middle Attack)!

If you have a backdoor script running on many different Skolelinux/Debian-edu machines, then you will experience a frequent warning when trying to login to localhost

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/klausade/.ssh/known_hosts to get rid of this message.
Offending key in /home/klausade/.ssh/known_hosts:2
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed
This is nothing to get scared about. It just means that you must delete (in this case line 2) the line in the file /home/klausade/.ssh/known_hosts containing localhost