Noobie question about terminal connection

Hi,
this is maybe a very very beginner (and stupid) question, but i need a kick start to just begin with my setup.
How do i connect my terminal to the router? Or, with other words, is there a inbuild terminal i can use?
I know i know, stupid, but i come from PowerShell coding and just started with Linux.
Thanks a lot for help.

/Flo

I use the program called “Putty”.
You can easily find it online.

Just connect to the IP of your router, probably 192.168.1.1
User: root

Ok, thanks, thats a good start. As i will use a Mac, i suspect that i go via the terminal app.
User and IP is already changed, as this was possible via the GUI.
Somebody out there who is already using Terminal to control his Omnia (and can maybe borrow me some code)?

Hi,

I’m afraid that it’s not clear what you want so I’ll try to give ‘wide’ answer :). You may control Omnia (or any other Unix or Mac or Windows) by running commands. To be able to run the commands on remote machine (Omnia in this case) you need means of connecting to the machine - which is program called ‘ssh’ in our case. Ssh is console based program so you need something to display it’s output and send your keystrokes to it - which is terminal application. It’s the black window showing cursor waiting for your input.

So normally you first open terminal application. It does not matter which one (for example putty on windows, xterm on unix, and ‘terminal’ on MacOS). Now any command you type is executed on your local machine. So you run

ssh -l root

ssh is a program which runs on your local machine and which connects to Omnia. (-l root means that you want to log in as ‘root’ user). If ssh succeeds, you are again presented with cursor waiting for your input, but this time it’s happening on remote machine, on Omnia.

And now the fun begins, you can type all the commands you want to configure or otherwise use Omnia :slight_smile:

What commands to run exactly is another matter, but this should kick(start) you to be able to connect.

As for borrowing the code, you would have to explain what do you want our code to do. But beware, Omnia is not the best place to start learning about command line administration (it’s not intended to be newbie friendly, it is intended to be powerful and very small installation instead). Practicing command line administration would be IMO easier on any Linux first.

HTH
__
Vlad

Ok, to do most of what you’re going to want to do as a novice, you can use the Foris web interface, or the advanced web interface (LuCI). From a Mac you can connect to the command-line on your Omnia just by opening a terminal and using ssh root@<omnia ip address> and logging in with the password you use for the web pages. Unless you know what you’re doing on the command line though you’re just going to be lost, you’re far better off sticking to Foris or LuCI. Some things, like managing connected SATA disk, you’re going to need to be on the command line and familiar with Linux. Don’t go mucking about on the command line unless you know what you’re doing, you can completely screw up your settings requiring a reset to factory defaults.

1 Like

https://www.turris.cz/doc/en/howto/ssh :slight_smile:

Thanks a lot for all suggestions, especially Vlad, that was exactly the kind of information I was looking after. I do understand basic coding, but I was missing the information how to connect. Thats solved now and maybe this could be a valuable information for other users too (hence I do have the feeling that the most Omnia customers will roll with their eyes by reading my post).
Then, I totally agree that if you are not into coding and network techniques, the Omnia will be a wrong product for you. Personally I have a fundament, but bought the Omnia to develop my Linux skills, that in line with a fine product.

However, my main purpose is to get an OpenVPN client (towards VPN unlimited) up and running, that seems to be possible just with ssh and not via LuCI. No need to send cmdlets by now, there are plenty of posts already opened.

Thanks everyone!

I am also a newbie and I’ve shortly used Putty. Better than Putty is Bitvise SSH Client - In addition, it allows the transfer of files.

For Windows is really good - WinSCP (with Putty ofc)

And lets add a security note.

Using SSH for remote login with the user ROOT is extremely bad security practice and is highly discouraged.

Now you can say you only log in to the Router from you local network and not from the big wide internet, but since this is about learning Linux I would make a case for also learning PROPER security practices.

As a side note, one, of my many hosts facing the internet, is accessible through SSH from the internet and in the logs I can see 100’s of daily attacks (botnets) trying to login as the user ROOT (even though that is disabled - but the bots don’t know, so they still try). So again - disable ROOT access through SSH is the best practice.

The how to do this on the Omnia and create an additional user that can be used instead is basic Linux 101 Security and you should easily follow these instructions: Add a new user for ssh access

Enjoy.

2 Likes

Some times security and ability to function are at odds with each other, such are the conflicts in life. The Omnia is not meant to be a general-purpose linux server, so all the normal rules do not necessarily apply. You’ll find that linux distributions for embedded devices break most typical rules. Yes, you can add new users, but OpenWRT was not written to have processes running under typical user accounts either. Is it possible? With some things, yes, but you can end up with issues as well.

If you want to secure root login from password attacks, consider using a ssh key pair and locking down root login to that. Use a password on the key pair for even greater security.

The problem with adding a user and disabling root login is with an upgrade it’s quite possible your added user account will be removed and root login re-enabled. Enabling root login for a new device, and leaving it up to the user to secure the device isn’t bad security practice, after all you have to have some account to get start with don’t you? Would you prefer “admin/admin”? :wink:

Im Sorry - but this is BS.

If the update process can not handle that ROOT has no SSH access (the user root is not disabled mind you, it just can’t do remote login - all other functions still work) and if the update process would delete users and setting created, then the update process is broken.

Even the slimmed down version of Linux that OpenWRT is, is capable of handling multiple users. And in fact some selected (albeit few) services on the Omnia run as user “nobody”. The Torrent Service Transmission even allows one to select the user its supposed to run as and per default a “transmission” user actually exists in the system (cat /etc/passwd).

Even the OpenWRT documentation RECOMMENDS creating a specific user for SSH access as part of the system hardening: https://wiki.openwrt.org/doc/howto/secure.access#create_a_non-privileged_user_in_openwrt

I was not advocating that ROOT per default should be disabled - only that it should not be used for remote SSH login. Every owner of a Omnia should take precautions and complete some security best practice system hardening after the device is setup - one of these being disabling the ROOT account to login through SSH.

Advising against this is at best bad advice and in the worst case outright ignorant and irresponsibly of how to securely setup an IT system. Even worse, not advocating best practice security to users who are new at this is grossly negligent.

Finally I have run with a root account that has no SSH access and with a specific SSH user for months now and my Omnias are updating happily without any problems.

2 Likes

woah. who said the update process can’t handle root being locked down? i haven’t read that anywhere in this thread.

you want to lock down your unit. go ahead. do so. you do realize that many people on these forums can’t handle a command line right? take a look at the posts. they are only configuring the omnia through the web interface. they don’t know anything about the command line and they don’t care. they aren’t going to log in and create users they will never use.

so you want turris to create an “admin” user, with some “admin” password, with the ability to sudo to root and distribute that as default? how is that in any way more secure than just loggin in as root in the first place?

at least the install wizard prompts you for a password, root’s password is being set to something hopefully unique and hopefully secure. if it isn’t, well, that’s the end-user’s fault isn’t it? besides, you can’t log in via ssh over the WAN port, only the LAN port. and if the end-user has internal threats they are worried about they have bigger issues than their omnia.

Lets see:

“The problem with adding a user and disabling root login is with an upgrade it’s quite possible your added user account will be removed and root login re-enabled.”

To me that sounds like: “…said the update process can’t handle root being locked down…”

The user in question specifically asked a question about how to access the CLI of the router. It was thus appropriate to make a case for how to properly secure the access to said CLI. The user did this to learn something new - which is always a positive thing - and in that respect providing suggestion on how to properly secure CLI is even more good information.

“…so you want turris to create an “admin” user, with some “admin” password …”

Nope I didn’t say that. I provided best practice that is mirrored by the generic OpenWRT recommendations for hardening on how to create a specific user to not expose the ROOT account for SSH login.

However now that you breached the topic - yes, I believe that the Omnia guys should not encourage the usage of the ROOT account the way they do. The Omnia project is, at least for a large part, about security and closing down attack vectors. The usage of the ROOT account for SSH login (and even the LuCI web page) is one of those.

Most - if not all - mainstream Linux distributions per default don’t even set a password on the ROOT account. Thus completely preventing login with the account.

Instead, during the setup, they create a “User” account (which is added to the SUDO group) where the user selects both the “Username” and provides a unique password.

The first time setup script of the Omnia could do something similar. And while you are right to some degree that you could then login with that user and through sudo become root it would be more secure just because of the simple fact that an attacker would not know what username the user has selected. An attacker can no longer rely on a standardized username like root (or admin for that matter - the username should obvious not be either of those).

" … besides, you can’t log in via ssh over the WAN port, …"

You can - just has to be enabled. And it is positive that (contrary to some cheap ass mainstream routers) this is not enabled by default.

Since the Omnia sits as the firewall/gateway device being able to login to it and use it as a bridgehead SSH hop to reach hosts/servers on the LAN behind it may be a use case some users may want/need (although in this case you should most definitely configure it with private/public keys instead)

Again - this all boils down to users wanting to experiment with the CLI to learn something. The first lesson should be how to correctly configure security when using the CLI.

" … and if the end-user has internal threats …"

If the user - as you say - is just the normal home user who “just” uses the basic web interface to mess with the Omnia then most certainly there is a good chance they have internal threats.

Just one example from the “IoT-revolution”, Web Cams.

Many web cams (and other IoT products) you buy today will use UPnP to punch a hole in the firewall and setup a port forward so you can reach the web cam from the internet, the Omnia supports these UPnP redirects. Many of the web cams (and IoT devices) have abysmal security configurations and glaring holes that an attacker can exploit in seconds to get on the inside of a network - now they can launch an internal attack on the Omnia.

Best security practice is that a device that acts as you gateway between the internet and the internal network is secured both from external and internal threads and that both networks are seen as equally insecure.

I’m aware that best security practice also states that you should not install shitty IoT devices on your network … but we all have to start somewhere.

1 Like

Glad that’s what it “sounds like” to you, but that isn’t what I typed, so don’t go making assumptions. If you want to know what I meant, it’s that config files can and often do get replaced on upgrades, so commenting out #PermitRootLogin in sshd_config could easily be reverted leading one to a very false sense of security.

Yes, but the Omnia is not a mainstream Linux distribution running on typical hardware. It’s a special-purpose distribution running on application specific hardware.

[quote]" … besides, you can’t log in via ssh over the WAN port, …"

You can - just has to be enabled. And it is positive that (contrary to some cheap ass mainstream routers) this is not enabled by default.[/quote]

Yes, and someone can rob your house, you just have to leave the front door open. Your arguments are getting weak. If you purposely enable logging in your edge router over the WAN port you probably deserve to be hacked.

If you have internal devices that can be accessed from outside your firewall, then you’ve already lost. The intruder is on your network, they can access everything you have, who cares about your firewall? You’ve lost.

You want the best security from the internet? Disconnect from it.