Create the public and private key pair and copy it to OpenWrt. We show you how to create the key using Linux and Windows.
If you haven't already got a
.ssh/id_dsa.pubfile on your Linux system (not OpenWrt), open a shell and type:
ssh-keygen -t dsa
Next copy the public key with SCP to OpenWrt:
scp ~/.ssh/id_dsa.pub email@example.com:/tmp
You can also copy & paste the public key into OpenWrt after making a normal password-based SSH connection to it. The public key is in text.
. A public key looks like (the text is all one, without linebreaks):
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmihVmFR3GH8V0BmN0uexjxmCMenVrYUQ8OKYUntz7knmxE1Wzxy 1ZF6unK36GXJAxEekK1WdSXXEEB50FLcVgbfQRoTo3RBVEP2acXyvTM5R3n5GRhXltEUVlkK5vL98f2xpQK5cqmu9+ jFz/z/BdXycORb5cO6m28TDLRD+9Fk= rsa-key-20050927
Next copy the public key with
pscp.exeto OpenWrt. For this open a CMD console:
C:\> echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmihVmFR3GH8V0BmN0uexjxmCMenVrYUQ8OKYUnt z7knmxE1Wzxy1ZF6unK36GXJAxEekK1WdSXXEEB50FLcVgbfQRoTo3RBVEP2acXyvTM5R3n5GRhXl tEUVlkK5vL98f2xpQK5cqmu9+jFz/z/BdXycORb5cO6m28TDLRD+9Fk= rsa-key-20050927 > OpenWrt-Public-Key.txt C:\> pscp.exe -scp -l root -pw OpenWrt-Public-Key.txt 192.168.1.1:/tmp/id_rsa.pub
You can also use copy & paste the public key to OpenWrt after making a normal password SSH connection to it.
Add the public key to the
authorized_keysfile on OpenWrt by doing the following:
cd /etc/dropbear cat /tmp/id_*.pub >> authorized_keys chmod 0600 authorized_keys
You can repeat this step with every new public key. Each key is appended to the
If you did everything right, you can now login using your key. It will not ask you for a password.
user@host:~$ ssh firstname.lastname@example.org
When you like to get some debug messages from OpenSSH then use ssh with the
user@host:~$ ssh -vv email@example.com BusyBox v1.00 (2006.03.27-00:00+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - | _ | -__| | | | | _| _| |_ ^ |_____|__| ^ ^ | |____| |__| W I R E L E S S F R E E D O M WHITE RUSSIAN (RC5) ------------------------------- * 2 oz Vodka Mix the Vodka and Kahlua together * 1 oz Kahlua over ice, then float the cream or * 1/2oz cream milk on the top. --------------------------------------------------- root@ap1:~# Connection to ap1 closed. user@host:~$
putty.exeand do the following:
In "Host Name" enter the router's DNS name or IP address, e.g. for access from the LAN enter
192.168.1.1(your router's IP address) or from the WAN my-router.dyndns.org (your registered dynamic DNS name). If you change the port for Dropbear, then also adopt the "Port" statement here. The protocol ("connection type") is always "SSH".
In the box "Login details" enter the "Auto-login username" which is
In the box "Authentication Parameters" under "Private key file for Authentication" state the path to your private key file for this connection (e.g. the
OpenWrt-Private-Key.ppkfile you created before). Best is to click "Browse…" and select the file via the file dialog.
Load- save or delete a stored session, enter
OpenWrt-Sessionin Saved Sessions and click the Save button
TIP: To make a PuTTY shortcut with an automatically login, create one and append the saved session with an
@sign, for example call PuTTY with:
C:\> putty.exe @OpenWrt-Session
The Only difference in OpenSSH/PuTTY and this client is, the key pair generated has a
--End, and your
Commentwith date is also added in a new line. So first generate the key by opening SSH Client from menu options select Edit→Settings→Global Settings→User Authentication→Keys
---Begin Key, Comment
make sure its one line
and prepend, 'ssh-rsa' or 'ssh-dss' (without quotes based on your key type) then save & exit. NOTE that it's 'ssh-dss' for a file name id_dsa, it's easy making it 'ssh-dsa' and really hard to find the typo!
cat tmp/.ssh/authorized_keys2 >> /etc/dropbear/authorized_keys; rm -rf /tmp/.ssh
There's a HowTo for accessing Dropbear with WinSCP
For more security you can disable Dropbear's password login. This is done by adding the
-sparameter to Dropbear. Modify the last line in the
The the last line should look like:
Now it's time to reboot.
If everything works as expected you may delete
/etc/init.d/S50telnetscript so that already disabled
telnetddaemon does not start any more.
The next reboot will free some CPU resources for you.
If you are worried that you might lose your private key (thereby by locking yourself out of your router if you used dropbear's
-sswitch), one way to provide a failsafe is to run another instance of dropbear on a different port, without the
-sswitch. For example, you could leave the last line of
/etc/init.d/S50dropbearthe way it is (i.e. without the
-sswitch) and add another line which starts a second instance of dropbear:
# failsafe for local access - port 22, pw auth allowed /usr/sbin/dropbear # secure for remote access - port 50022, pw auth not allowed /usr/sbin/dropbear -s -p 50022
In this example, the first instance is your failsafe, which runs on port 22 and allows password login. The second instance runs on port 50022 (the port number is arbitrary – you can choose another open port if you so desire) and does NOT allow password login. If your router is internet-facing, only open port 50022 in your firewall; if your router is behind an internet-facing router, forward to port 50022 only. In other words, just use port 22 for local access.
The downside of this second instance strategy is that it takes up slightly more memory. In the future, it would be nice if
webifcould allow you to enable and disable password logins. For now, this second instance strategy works.
Follow the same guidelines as above but adjust the settings with UCI
root@OpenWrt:~# uci set dropbear.@dropbear.PasswordAuth=off root@OpenWrt:~# uci commit dropbear
For the new UCI firewall run this to open port 22:
root@OpenWrt:~# uci add firewall rule root@OpenWrt:~# uci set firewall.@rule[-1]._name=SSH root@OpenWrt:~# uci set firewall.@rule[-1].src=wan root@OpenWrt:~# uci set firewall.@rule[-1].target=ACCEPT root@OpenWrt:~# uci set firewall.@rule[-1].proto=tcp root@OpenWrt:~# uci set firewall.@rule[-1].dest_port=22 root@OpenWrt:~# uci commit firewall root@OpenWrt:~# /etc/init.d/firewall restart
Attention!!! First you need to be sure that Dropbear is configured for maximum security and only then start exposing it to the WAN. If you use passwords you are vulnerable to brute force attacks, so it is recommended to disable password logins and use public key authentication instead (see above).
To make it available you have to activate some rules in the file "/etc/firewall.user". There are already some simple predefined rules in it for SSH (WR 0.9), which you can just uncomment:
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT iptables -A input_wan -p tcp --dport 22 -j ACCEPT
If you want to block brute force attacks then have a look at this forum thread. It is based on the information of the documents IPTables and ThrottleConnectionsHowTo. It also provides an example how to access SSH via a non-standard port (e.g. 443 for restrictive firewalls) although Dropbear is still running on the standard port 22.
Make sure the
chmoded 0700 and the
root@OpenWrt:~# ls -l /etc/|grep dropbear drwx------ 1 root root 0 Feb 28 15:26 dropbear
root@OpenWrt:~# ls -l /etc/dropbear/|grep authorized -rw------- 1 root root 626 Feb 28 15:31 authorized_keys
If you see anything different than the above you can try these commands.
chmod 0700 /etc/dropbear chmod 0600 /etc/dropbear/authorized_keys
If you think everything is OK but it still does not accept your key, check that you didn't say 'ssh-dsa' when manually converting a multi line SSH2 key file.
The free OpenSSH client and server
PuTTY is a free implementation of Telnet and SSH for Win32 (
PuTTY with hardware token support