For overview of public-key authentication read signature authentication.
Install OpenSSH for *nix, PuTTY for Windows. See the links at the end of this document.
If you don't have one yet, create it using
ssh-keygen. If you use Windows, use
Do not use
ssh-copy-id, Dropbear doesn't read keys from
On Linux, do
scp ~/.ssh/id_rsa.pub root@openwrt:/tmp
On Windows use
Add the public key to the
authorized_keys file on OpenWrt:
cd /etc/dropbear cat /tmp/id_*.pub >> authorized_keys chmod 0600 authorized_keys
You can repeat this step with every new public key. Each key is appended to the
If you did everything right, you can now login using your key. It will not ask you for a password.
$ ssh root@openwrt
putty.exe and do the following:
- Session: In "Host Name" enter the router's DNS name or IP address, e.g. for access from the LAN enter
openwrt.lanor from the WAN my-router.dyndns.org (your registered dynamic DNS name). If you change the port for Dropbear, then also adopt the "Port" statement here. The protocol ("connection type") is always "SSH".
- Connection → Data: In the box "Login details" enter the "Auto-login username" which is
- Connection → SSH → Auth: In the box "Authentication Parameters" under "Private key file for Authentication" state the path to your private key file for this connection (e.g. the
OpenWrt-Private-Key.ppkfile you created before). Best is to click "Browse…" and select the file via the file dialog.
- Session: Load- save or delete a stored session, enter
OpenWrt-Sessionin Saved Sessions and click the Save button
- (optional) Connection → SSH → Tunnels: Here you can define tunnels, which offer you the possibility to access services on your router and LAN with exposing them to the internet. The connection will be done through your SSH connection, hence tunnel. Example to access the router's WebIF: Define a "Local" tunnel with the source port
80and the destination
localhost:80; don't forget to "Add" it. This will allow you to access the router's WebIF in your browser via
localhost:80. Note that the destination is always resolved on the other side of the tunnel.
TIP: To make a PuTTY shortcut with an automatically login, create one and append the saved session with an
sign, for example call PuTTY with:
C:\> putty.exe @OpenWrt-Session
For more security you can disable Dropbear's password login.
root@OpenWrt:~# uci set dropbear.@dropbear.PasswordAuth=off root@OpenWrt:~# uci commit dropbear
See also Dropbear configuration article.
Make sure the
/etc/dropbear directory is
chmoded 0700 and the
/etc/dropbear/authorized_keys file 0600.
root@OpenWrt:~# ls -dl /etc/dropbear/ /etc/dropbear/authorized_keys drwx------ 1 root root 0 Feb 28 00:00 /etc/dropbear/ -rw------- 1 root root 626 Feb 28 00:00 /etc/dropbear/authorized_keys
If mode is not the same for you, do
chmod 0700 /etc/dropbear chmod 0600 /etc/dropbear/authorized_keys
If you think everything is OK but it still does not accept your key, check that you didn't say
ssh-dsa when manually converting a multi line SSH2 key file.
inbox/howto/dropbear.public-key.auth.txt · Last modified: 2013/01/30 16:40 by slickkitten