Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

Can you change the admin username? By just editing the config file? Might brick it?

I don't want to risk that without knowing how to recover.

I wondered if I could create a second admin-privileged account, member of the administrators group, add that and then either disable or delete the original? (Some devices do not allow you to delete one sacred user #0, not even if you have two working admin users.)

I failed to save the entry for a second admin in the web ui. I kept getting whining about the username and then about the password, disallowed/required characters in both cases.

Has anyone had any success with setting a stronger username?

[burakkucat]

I've never tried, so am unable to help. 

With my VMG1312-B10A I have the standard "admin" and "supervisor" logins enabled. In terms of access to the device, I only allow "https", "ssh" and "ICMP" from the LAN, everything else is disabled. (GUI Maintenance ---> Remote MGMT)

Whenever I test Roseway's xDSLstats, I temporarily enable "telnet" from the LAN.

[Weaver]

For some reason I can't get SSH to work. NAT? SSH is enabled though.

[burakkucat]

I do not understand.    What has NAT go to do with using ssh over a local link?

In the following example, there is a WiFi link from the laptop computer to the VMG1312-B10A. First I establish a ssh connection for the "supervisor" account. Next I establish a ssh connection for the "admin" account.

Code: [Select]

[Duo2 tmp]$ ssh supervisor@AP
supervisor@ap's password:
 > ?
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
loglevel
logdest
virtualserver
ddns
dumpcfg
dumpmdm
meminfo
psp
dumpsysinfo
syslog
sntp
ethwanctl
wlan
wlanctl
arp
defaultgateway
dhcpserver
dhcpcondserv
igmpcmd
dns
lan
lanhosts
staticdhcp
portforward
passwd
ppp
pppoectl
firewall
dmz
snmpctl
rmtmgmt
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
exitOnIdle
wan
interfaceGroup
udpechod
tr69c
webstyle
radvdconf
vcautohunt
vlanautohunt
sys
save_default
captiveportal
celld
tr064
snmp
dhcpmachash
udpportrange
mapp
redirect
buttondisable
 > sh
~ # pwd
/
~ # ls -l
drwxr-xr-x    2 supervis root             0 Nov 23 07:46 bin
drwxr-xr-x    5 supervis root             0 Jan  1  1970 data
drwxrwxr-x    5 supervis root             0 Nov 23 07:46 dev
drwxrwxr-x   11 supervis root             0 Nov 23 06:07 etc
drwxr-xr-x    2 supervis root             0 Jan  1  1970 home
drwxrwxr-x    6 supervis root             0 Nov 23 07:40 lib
lrwxrwxrwx    1 supervis root            11 Nov 23 07:40 linuxrc -> bin/busybox
drwxr-xr-x    2 supervis root             0 Mar 30 14:19 log
drwxr-xr-x    2 supervis root             0 Jan  1  1970 mnt
drwxrwxr-x    5 supervis root             0 Nov 23 07:46 opt
dr-xr-xr-x   87 supervis root             0 Jan  1  1970 proc
drwxrwxr-x    2 supervis root             0 Nov 23 07:45 sbin
drwxr-xr-x   11 supervis root             0 Jan  1  1970 sys
lrwxrwxrwx    1 supervis root             8 Nov 23 07:46 tmp -> /var/tmp
drwxrwxr-x    4 supervis root             0 Nov 23 07:40 usr
drwxr-xr-x   17 supervis root             0 May 15 17:13 var
-rw-rw-r--    1 supervis root       1405653 Nov 23 07:46 vmlinux.lz
drwxrwxr-x    4 supervis root             0 Nov 23 07:44 webs
~ #  > Connection to AP closed.
[Duo2 tmp]$ ssh admin@AP
admin@ap's password:
 > ?
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
loglevel
logdest
virtualserver
ddns
dumpcfg
dumpmdm
meminfo
psp
dumpsysinfo
syslog
sntp
ethwanctl
wlan
wlanctl
arp
defaultgateway
dhcpserver
dhcpcondserv
igmpcmd
dns
lan
lanhosts
staticdhcp
portforward
passwd
ppp
pppoectl
firewall
dmz
snmpctl
rmtmgmt
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
exitOnIdle
wan
interfaceGroup
udpechod
tr69c
webstyle
radvdconf
vcautohunt
vlanautohunt
sys
save_default
captiveportal
celld
tr064
snmp
dhcpmachash
udpportrange
mapp
redirect
buttondisable
 > Connection to AP closed.
[Duo2 tmp]$

If I was to perform the above from a directly connected (Ethernet) system, I would achieve an identical result.

[Weaver]

The modem is on a different subnet and not on the same lan, the brick is doing a kind of nat to present the modem with src IP addresses that it can cope with, since, lacking a gateway setting, the modem doesn't know how to communicate with anything that is outside its subnet range. Also it will not let me set the netmask to 0.0.0.0 not that that would necessarily help because the modem’s ARP lookups would just fail anyway presumably.

I'm wondering if SSH mentions its own source address in the protocol? Just guessing as I know nothing about SSH, have never looked it up.

[burakkucat]

The modem is on a different subnet and not on the same lan, the brick is doing a kind of nat to present the modem with src IP addresses that it can cope with, since, lacking a gateway setting, the modem doesn't know how to communicate with anything that is outside its subnet range.

That clearly is the problem. To be honest, I never attempt to access a modem/router other than directly to its assigned IP address.

[Weaver]

From the details of the ssh protocol? (We think it ‘mentions itself’ or the results of crypto authentication look suspicious somehow because the source address is seen as ‘wrong’?)

By the way, telnet works.

[burakkucat]

The problem is, I believe, centred on the FB2700. It is doing something "clever" that the ssh protocol dislikes.

Does your ssh client process actually "get" to the VMG1312-B10A? Perhaps try with maximum verbosity . . .

Either ssh -vvv admin@<address> or ssh -vvv supervisor@<address>, where <address> is the IPv4 address of (or logical mapping to) the VMG1312-B10A.

[Weaver]

It is bound to be the Brick doing something peculiar. Telnet as I mentioned works and so does http, and I am not doing anything TCP port-specific or even IP protocol-aware.

[burakkucat]

Have you got https to the VMG1312-B10A working via the FB2700 or is that also a failure?

[Weaver]

Works, with a load of annoying warnings from Safari which I can just disregard.

[burakkucat]

Works, with a load of annoying warnings from Safari which I can just disregard.

Certificate warnings; self-signed certificate warning and the like, I suspect. As https is getting through, I would expect that you should be able to do the same with ssh.

Puzzling.

[Weaver]

I’ve just remembered that the SSH client (Prompt2 app) prompts me with an identity warning 'the identity of <x> cannot be established blah blah', so it sounds like it is getting through. Then the client just quits, as if the thing had disconnected. The modem is getting told a lie in the src-ip when the SSH connection comes in, because the brick has to give the modem a src-ip that the modem can cope with and reply to, having no default gateway.

[burakkucat]

Not knowing the ssh client that you are using, I can only suggest you turn on maximum debugging verbosity in a hope that something useful may be gleaned.

[Weaver]

I wonder if it would be possible to go to a two cable setup, then I could perhaps give up on NAT, which after all is evil.

If I could assign an IP address that is in the main LAN to the modem then all hosts would be able to talk to it without NAT. That would fix SSH, but wouldn't fix other problems like NTP not working.

I would like to get SSH going because I have a library routine in the Apple WorkFlow language which lets me do (effectively) RPC using SSH.