For overview of public-key authentication read signature authentication.
Install OpenSSH for *nix, PuTTY for Windows. See the links at the end of this document.
If you don't have one yet, create it using
ssh-keygen. If you use Windows, use
For low security (fast verification), just use 2048-bits key.
If you are concerned about the security, use 4096-bits instead. Since accessing to router via SSH hasn't been hackers' interest, 5120-bits key is high enough for security.
ssh-keygen -b 4096 # or ssh-keygen -b 5120
Add the public key of your computer to the
authorized_keys file on OpenWrt
On your PC:
ssh email@example.com "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pubKey is appended to the
/etc/dropbear/authorized_keysfile on your OpenWRT device.
If you did everything right, you can now login using your key. It will not ask you for a password.
$ ssh firstname.lastname@example.org
putty.exe and do the following:
openwrt.lanor from the WAN my-router.dyndns.org (your registered dynamic DNS name). If you change the port for Dropbear, then also adopt the "Port" statement here. The protocol ("connection type") is always "SSH".
OpenWrt-Private-Key.ppkfile you created before). Best is to click "Browse…" and select the file via the file dialog.
OpenWrt-Sessionin Saved Sessions and click the Save button
80and the destination
localhost:80; don't forget to "Add" it. This will allow you to access the router's WebIF in your browser via
localhost:80. Note that the destination is always resolved on the other side of the tunnel.
TIP: To make a PuTTY shortcut with an automatically login, create one and append the saved session with an
sign, for example call PuTTY with:
C:\> putty.exe @OpenWrt-Session
For more security you can disable Dropbear's password login.
root@OpenWrt:~# uci set dropbear.@dropbear.PasswordAuth=off root@OpenWrt:~# uci set dropbear.@dropbear.RootPasswordAuth=off root@OpenWrt:~# uci commit dropbear
See also Dropbear configuration article.
Make sure the
/etc/dropbear directory is
chmoded 0700 and the
/etc/dropbear/authorized_keys file 0600.
root@OpenWrt:~# ls -dl /etc/dropbear/ /etc/dropbear/authorized_keys drwx------ 1 root root 0 Feb 28 00:00 /etc/dropbear/ -rw------- 1 root root 626 Feb 28 00:00 /etc/dropbear/authorized_keys
If mode is not the same for you, do
chmod 0700 /etc/dropbear chmod 0600 /etc/dropbear/authorized_keys
If you think everything is OK but it still does not accept your key, check that you didn't say
ssh-dsa when manually converting a multi line SSH2 key file.