Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3884 - dropbear: irritating restriction of interface setting #8895

Closed
openwrt-bot opened this issue Jun 18, 2021 · 1 comment
Closed

FS#3884 - dropbear: irritating restriction of interface setting #8895

openwrt-bot opened this issue Jun 18, 2021 · 1 comment
Labels

Comments

@openwrt-bot
Copy link

phqzgunsfjror:

Environment:
Fritzbox 4040
LuCI openwrt-19.07 branch (git-21.044.30835-34e0d65)
OpenWrt 19.07.7 r11306-c4a6851c72

Description:
I created a new network called whatever. It is neither part of lan nor br-lan.
In dropbear I restricted
→ System → Administration → SSH Access → Interface: "lan" (Listen only on the given interface or, if unspecified, on all)
(saved and rebootet)

I would assume that only devices from network lan can reach OpenWrt via SSH but also the network whatever can reach it. Is my assumption incorrect?
In the end I restricted it with firewall rules but for me this setting is irritating.

I also tried to use br-lan but that is not selectable via Luci and via ssh it gives an error...

vi /etc/config/dropbear config dropbear option Port '22' option Interface 'br-lan' option PasswordAuth 'off'

/etc/init.d/dropbear restart

error: interface br-lan has no physdev or physdev has no suitable ip

@openwrt-bot
Copy link
Author

jow-:

I would assume that only devices from network lan can reach OpenWrt via SSH but also the network whatever can reach it. Is my assumption incorrect?

In the end the interface settings is resolved to the current IP of the underlying interface and dropbear will bind to that IP instead of using the 0.0.0.0 wildcard address. If your routing/firewall settings allow the "whatever" network to reach the IP address of the "lan" network then "whatever" can access dropbear. In that sense, the settings works as intended.

Also, you need to specify a logical interface, lan in your case. This will cause dropbear to bind to the IP address of the LAN interface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant