Search This Blog

Monday, February 20, 2012

Remote CLI access to Ubuntu Linux PC using web browser through authenticated HTTPS |

Remote CLI access to Ubuntu Linux PC using web browser through authenticated HTTPS |

Lets say you need to access your Ubuntu Linux PC at your home from the other PC behind very restrictive firewall. Lets also say that all you have access to is port 80 (http) and port 443 (https). Lets unlock this situation. Ill show you how to setup Shell In A Box with additional layer of security with Apache2 SSL. Prerequisite for the following guide is that you have fully working Apache 2 installation on you Ubuntu system. If you need instructions for this, you can find them on one of my older posts:

Ubuntu Netbeans and LAMP server with Xdebug as non-root user

In this post I’ll mostly give you CLI commands without to much explanation so it is up to you to go trough the procedure and adjust it according to your own setup. Reason for this approach is that the procedure is a bit longer and there could be 10 pages explanation for all of this. Of course I’ll give basic explanation for most important commands. So lets get down to business…

Basic HTTPS Shell In A Box

First we download and install Shell In A Box. For the 32-bit architecture do this:


For the 64-bit architecture do this:


Next thing is to install Shell In A Box:

sudo dpkg -i shellinabox*.deb

Now we need to add a few options to Shell In A Box .conf file:

sudo gedit /etc/default/shellinabox

You need to replace line:


with line:

SHELLINABOX_ARGS="--no-beep --localhost-only --disable-ssl"

Lets enable necessary Apache2 modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod ssl

Now we need to copy default Apache 2 SSL virtual host and modify it for our purpose:

sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/default-ssl-shellinabox
sudo gedit /etc/apache2/sites-available/default-ssl-shellinabox

We need to add following inside tags:

ProxyPass http://localhost:4200/
Order allow,deny
Allow from all

Now we enable our new site and restart Shell In A Box and Apache2 services:

sudo a2ensite default-ssl-shellinabox
sudo service shellinabox restart
sudo service apache2 restart

Custom self signed SSL certificate

You can already access your Ubuntu Linux PC shell on the location https://localhost/shell. If you also need additional layer of security using HTTP authentication besides you accounts user name and password, read on. Ubuntu comes with "default" SSL certificate so your https page is working, but the safe bet will be to create custom self signed SSL certificate. This process will require password (make up something complex) you'll need to remember or write down. When process asks you for things like country, name etc. feel free do leave it blank, I do. If you set "Common Name" field to say, certificate could only be used on so the best way is to leave everything blank for our "hobby" purpose.

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server.key.insecure
mv server.key
mv server.key.insecure server.key
sudo mkdir /etc/apache2/ssl
sudo cp server.crt /etc/apache2/ssl
sudo cp server.key /etc/apache2/ssl/

Now we will adjust our Apache2 virtual host and point it to the SSL certificate we have just created:

sudo gedit /etc/apache2/sites-enabled/default-ssl-shellinabox

Adjust "SSLCertificateFile" and "SSLCertificateKeyFile" lines to the following:

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

If you don't plan to do HTTP authentication you should restart Apache2, else you can proceed.

sudo service apache2 restart

HTTP authentification

So now our site is using our custom SSL certificate. Next thing is to set HTTP authentication. Intention is to use additional password besides you accounts password to access your PC (you can never be to safe). Here are the commands to make this happen (replace <> with your additional user name, doesn't need to be same as you accounts user name):

sudo htpasswd -c /etc/apache2/.htpasswd <>

We need to modify Apache2 mod proxy .conf file with our additional user name and password. Make sure to replace &lt:> with your username and &lt:> with your password (make up something complex).

sudo gedit /etc/apache2/mods-available/proxy.conf

We need to modify it like this:

ProxyRequests Off

AddDefaultCharset off
AuthUserFile /etc/apache2/.htpasswd
AuthName EnterPassword
AuthType Basic
require user ##USERNAME##
Order allow,deny
Allow from all

Now we restart Apache2:

sudo service apache2 restart

Thats it. Now you go to https://localhost/shell, enter HTTP user name and password, then Ubuntu Linux user name and password and do whatever you want to do on your PC remotely. In addition to this if you connect using ADSL or wireless broadband it is useful to setup something like DynDns so you could access your PC using user friendly doman name.

This post is a bit longer so there's a lot of room for mistakes on my part and yours. So please if something doesn't work comment here sou I could correct any eventual mistakes. Cheers!

No comments:

Post a Comment