Differences

This shows you the differences between two versions of the page.

inbox:howto:dropbear.public-key.auth [2013/01/30 16:20]
— (current)
Line 1: Line 1:
-====== Dropbear public-key authentication HowTo ====== 
- 
-For overview of public-key authentication read [[doc:techref:signature.authentication|signature authentication]]. 
- 
-===== Preparation ===== 
- 
-==== Install SSH and SCP clients === 
- 
-Install OpenSSH for *nix, PuTTY for Windows. See the links at the end of this document. 
- 
-==== Generate the key pair ==== 
- 
-If you don't have one yet, create it using ''ssh-keygen''. If you use Windows, use ''puttygen.exe''. 
- 
-==== Copy the public key to OpenWrt ==== 
- 
-Do not use ''ssh-copy-id'', Dropbear doesn't read keys from ''~/.ssh''. 
- 
-On Linux, do <code>scp ~/.ssh/id_rsa.pub root@openwrt:/tmp</code> 
- 
-On Windows use ''pscp.exe''. 
- 
-==== Create authorized_keys ==== 
- 
-Add the public key to the ''authorized_keys'' file on OpenWrt: 
- 
-<code> 
-cd /etc/dropbear 
-cat /tmp/id_*.pub >> authorized_keys 
-chmod 0600 authorized_keys 
-</code> 
- 
-You can repeat this step with every new public key. Each key is appended to the ''/etc/dropbear/authorized_keys'' file. 
- 
-===== Connecting to OpenWrt with Public Key ===== 
-If you did everything right, you can now login using your key. It will not ask you for a password. 
- 
-==== Using the OpenSSH client ==== 
-<code> 
-$ ssh root@openwrt 
-</code> 
- 
-==== Using PuTTY on Windows ==== 
- 
-Start ''putty.exe'' and do the following: 
- 
-  * Session: In "Host Name" enter the router's DNS name or IP address, e.g. for access from the LAN enter ''openwrt.lan'' or from the WAN my-router.dyndns.org (your registered dynamic DNS name). If you change the port for Dropbear, then also adopt the "Port" statement here. The protocol ("connection type") is always "SSH". 
-  * Connection → Data: In the box "Login details" enter the "Auto-login username" which is ''root''. 
-  * Connection → SSH → Auth: In the box "Authentication Parameters" under "Private key file for Authentication" state the path to your private key file for this connection (e.g. the ''OpenWrt-Private-Key.ppk'' file you created before). Best is to click "Browse..." and select the file via the file dialog. 
-  * Session: Load- save or delete a stored session, enter ''OpenWrt-Session'' in Saved Sessions and click the Save button 
-  * (optional) Connection → SSH → Tunnels: Here you can define tunnels, which offer you the possibility to access services on your router and LAN with exposing them to the internet. The connection will be done through your SSH connection, hence tunnel. Example to access the router's WebIF: Define a "Local" tunnel with the source port ''80'' and the destination ''localhost:80''; don't forget to "Add" it. This will allow you to access the router's WebIF in your browser via ''localhost:80''. Note that the destination is always resolved on the other side of the tunnel. 
-**TIP:** To make a PuTTY shortcut with an automatically login, create one and append the saved session with an ''@'' 
- sign, for example call PuTTY with: 
- 
-<code> 
-C:\> putty.exe @OpenWrt-Session 
-</code> 
- 
-==== Using SSH Secure Shell Client on Windows ==== 
-The Only difference in OpenSSH/PuTTY and this client is, the key pair generated has a <code>--Begin</code> 
- and ''--End'', and your ''Comment'' with date is also added in a new line. So first generate the key by opening SSH Client from menu options select Edit→Settings→Global Settings→User Authentication→Keys 
- 
-  * Generate New will create ''id_dsa'' and ''id_dsa.pub'' 
-  * Upload (will not work if sftp is not enabled on WRT) simply creates a new authorized_keys2 (in most cases there is none) with the ''---Begin Key, Comment'', ''public_key'' and ''---End Key'' lines 
-  * Delete everything else other than the public_key line ''make sure its one line'' and prepend, 'ssh-rsa' or 'ssh-dss' (without quotes based on your key type) then save & exit. NOTE that it's 'ssh-dss' for a file name id_dsa, it's easy making it 'ssh-dsa' and really hard to find the typo! 
-  * <code>cat tmp/.ssh/authorized_keys2 >> /etc/dropbear/authorized_keys; rm -rf /tmp/.ssh</code> 
- 
- 
- 
- 
- 
-===== Disable password login ===== 
-For more security you can disable Dropbear's password login. 
- 
-===== Disable password login (Kamikaze Method) ===== 
-Follow the same guidelines as above but adjust the settings with UCI 
- 
-<code> 
-root@OpenWrt:~# uci set dropbear.@dropbear[0].PasswordAuth=off 
-root@OpenWrt:~# uci commit dropbear 
-</code> 
- 
- 
- 
-====== Troubleshooting ====== 
-Make sure the ''/etc/dropbear'' directory is ''chmod''ed 0700 and the ''/etc/dropbear/authorized_keys'' file 0600. 
- 
-<code> 
-root@OpenWrt:~# ls -l /etc/|grep dropbear 
-drwx------    1 root    root            0 Feb 28 15:26 dropbear 
-</code> 
- 
-<code> 
-root@OpenWrt:~# ls -l /etc/dropbear/|grep authorized 
--rw-------    1 root    root          626 Feb 28 15:31 authorized_keys 
-</code> 
- 
-If you see anything different than the above you can try these commands. 
- 
-<code> 
-chmod 0700 /etc/dropbear 
-chmod 0600 /etc/dropbear/authorized_keys 
-</code> 
- 
- 
-If you think everything is OK but it still does not accept your key, check that you didn't say ''ssh-dsa'' when manually converting a multi line SSH2 key file. 
- 
-====== Links ====== 
-  * Dropbear: https://matt.ucc.asn.au/dropbear/dropbear.html 
-  * The free OpenSSH client and server: http://www.openssh.org/ 
-  * PuTTY is a free implementation of Telnet and SSH for Win32 (''puttygen.exe'', ''putty.exe'' and ''pscp.exe''): http://www.chiark.greenend.org.uk/~sgtatham/putty/ 
-  * PuTTY with hardware token support: http://www.joebar.ch/puttysc/ 
-  * Key authentication: http://en.wikipedia.org/wiki/Key_authentication 

Back to top

inbox/howto/dropbear.public-key.auth.1359559227.txt.bz2 · Last modified: 2013/01/30 16:20 (external edit)