Setting up SSH public key authentication on the StarTech SV1110IPEXT (tummy.com, ltd. Journal Entry)
tummy.com: we do linux
Search: Google
Web www.tummy.com

Thursday March 10, 2005 at 09:56
Subject: Setting up SSH public key authentication on the StarTech SV1110IPEXT
Keywords: SSH, Technical
Posted by: Sean Reifschneider

Related entries:
   Hardware Review: StarTech StarView SV1110IPEXT by Sean Reifschneider, Thursday March 10, 2005 at 10:26

The StarTech StarView SV1110IPEXT is a great little KVM-over-IP which runs Linux. However, it doesn't have a mechanism to allow SSH public key authentication. I couldn't resist poking it to see if I could make it use SSH public keys for authentication, though. I've reported this to StarTech as an enhancement request, but in the mean time I've found the following works.

First of all, you need to realize that doing the following may void your warranty, and is totally unsupported by either tummy.com, ltd. or StarTech. If you end up breaking your KVM, you get to keep both parts. This worked for me on the version of the firmware that I have on my box.

The idea here is that you can set up SSH public key authentication on the StarView so that you don't have to use password-based authentication to access the KVM. I use the following command to access the KVM: 

vncviewer -bgr233 -via root@kvm localhost:0
With the following lines in my "~/.ssh/config" file on my machine: 
Host kvm
   HostName <IP Address of KVM>
   LocalForward 5900 127.0.0.1:5900

The config above allows me to run a simple command (which I've set up in a shell script in my personal "bin" directory as "kvm") to gain access to the KVM. This uses SSH to encrypt the VNC connections.

By following the directions below, I'm able to gain access using to the KVM using SSH public key authentication. Note that there's a setting in the StarView about whether to trust SSH tunneled connections, that needs to be on for the above to work.

Here's what you need to do to set up the SSH public key authentication: 

ssh root@<kvm IP address>
mount -o remount,rw /dev/mtdblock/4 /setup
mkdir .ssh
cat >.ssh/authorized_keys
<paste in SSH public keys>
<Control-D>
chown root . .ssh .ssh/authorized_keys
mount -o remount,ro /dev/mtdblock/4 /setup
exit

On a reboot, the home directory for root will be chowned back to a different user ID, so on a reboot you have to run the following commands: 

mount -o remount,rw /dev/mtdblock/4 /setup
chown root .
mount -o remount,ro /dev/mtdblock/4 /setup
exit

You should be able to make it so that on a reboot you don't have to do the chown by adding the above commands to the "/etc/rc" file, but I wanted to be less intrusive so I haven't tested this. If this works, please let me know.
(Post Reply)

Comment
 Cal Webster
Subject: StarTech SV1110IPEXT Hack
I appreciate the ssh hack you published as well as the superb review. It gave me some insight into how they've put together the system. I'm interested in getting some additional functionality out of the 3 SV1110IPEXT units we've purchased for use at a client site.

My situation is sort of backwards from how most users employ the StarView. I need multiple users to be able to access a single (Fedora Linux) machine for Internet access, when all they can see on the stand-alone, private network is the StarView's SSH port. I'd like to tunnel a VNC port through the StarView directly to the Fedora Internet machine. I'm using the Xvnc module for the X server to allow multiple VNC sessions.

The Fedora machine has two NIC's one, attached to a firewall and the other directly connected to the StarView WAN port. The Keyboard, Video, and Mouse are all attached to the StarView. Only SSH traffic may pass between private clients and the StarView. Only SSH traffic may pass between the StarView and Fedora Internet machine.

Can you suggest a method to configure or modify the StarView machine to allow routing SSH traffic between the LAN and WAN interfaces?

Ntwk1: Private, stand-alone network: no outside network connectivity Ntwk2: Private, network: firewalled Internet access 

1. Connect the LAN port to Ntwk1
2. Connect the WAN port to the 2nd NIC on machine in Ntwk2
	1st NIC goes to switch on Ntwk2 or directly to private firewall interface

Port 5973 is setup to in xinetd to accept VNC connections for 1280x1024 res, 24-bit color depth 

[Ntwk1|Switch]->[LAN:StarTechIPKVM:WAN]->[Fedora WS|Ntwk2]

[Ntwk1 client:22(localhost:15973)]->[LAN:22|WAN:22>]->[22:(fedora:5973)svr|Ntwk2]

##!! Important: No data transfers between Ntwk1 and Ntwk2 - only VNC over SSH

Firewall on Fedora WS permits only SSH and VNC to pass on 2nd NIC.

No routing at all between two NIC's on Fedora WS. IP KVM only accepts SSH & https on WAN and only from a single IP

All trademarks and copyrights on this page are owned by their respective owners. Submitted content is owned by the Poster. The Rest © 1995-2007, www.tummy.com
Privacy Policy