User Tools

Site Tools


docs:guide-user:security:dropbear.public-key.auth

Dropbear key-based authentication

Introduction

Goals

  • Provide key-based authentication for Dropbear.
    • Harden security by disabling password authentication.

Web interface

Manage Dropbear keys using web interface.

  1. Navigate to LuCI → System → Administration → SSH-Keys.
  2. Copy-paste your public key and click the Add key button.

Command-line interface

Manage Dropbear keys using command-line interface. Generate a new authentication key if required.

# Add your public key to the router
ssh root@openwrt.lan "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub

Testing

Log in your router using command-line interface. Verify that it does not ask you for a password.

ssh root@openwrt.lan

Troubleshooting

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dropbear restart
 
# Log and status
logread -e dropbear; netstat -l -n -p | grep -e dropbear
 
# Runtime configuration
pgrep -f -a dropbear
 
# Persistent configuration
uci show dropbear; ls -l /etc/dropbear; cat /etc/dropbear/authorized_keys

Extras

Generating keys

Generate a new authentication key.

# Generate a new key pair, 3072-bit RSA by default
ssh-keygen
 
# Generate a key with custom type and length
ssh-keygen -t rsa -b 4096

Keep your software up-to-date to safely rely on the cryptography-related defaults.

Non-root users

Add authentication keys for the current non-root user.

ssh-copy-id openwrt.lan

The keys should be added to ~/.ssh/authorized_keys on the remote host.

Disabling password authentication

Harden security by disabling password authentication.

uci set dropbear.@dropbear[0].PasswordAuth="0"
uci set dropbear.@dropbear[0].RootPasswordAuth="0"
uci commit dropbear
/etc/init.d/dropbear restart

Providing Ed25519 support

Rebuild Dropbear with Ed25519 key type support.

cat << EOF >> openwrt/.config
CONFIG_DROPBEAR_ED25519=y
EOF

Fixing permissions

Set up the proper permissions.

chmod -R u=rwX,go= /etc/dropbear

Using PuTTY on Windows

Start PuTTY and do the following:

  • If you don't have one yet, generate a key pair using puttygen.exe. It will provide you with output to be added later to dropbear config file you will need later; you also should save private key for puTTY configuration described later.
  • Add your public key to the file /etc/dropbear/authorized_keys on your OpenWrt device.
  • Session: In “Host Name” enter the router's DNS name or IP address, e.g. for access from the LAN enter openwrt.lan or from the WAN my-router.dyndns.org (your registered dynamic DNS name). If you change the port for Dropbear, then also adopt the “Port” statement here. The protocol (“connection type”) is always “SSH”.
  • Connection → Data: In the box “Login details” enter the “Auto-login username” which is root.
  • Connection → SSH → Auth: In the box “Authentication Parameters” under “Private key file for Authentication” state the path to your private key file for this connection (e.g. the OpenWrt-Private-Key.ppk file you created before). Best is to click “Browse…” and select the file via the file dialog.
  • Session: Load, save or delete a stored session, enter OpenWrt-Session in Saved Sessions and click the Save button
  • (optional) Connection → SSH → Tunnels: Here you can define tunnels, which offer you the possibility to access services on your router and LAN with exposing them to the internet. The connection will be done through your SSH connection, hence tunnel. Example to access the router's web interface: Define a “Local” tunnel with the source port 80 and the destination localhost:80; don't forget to “Add” it. This will allow you to access the router's web interface in your browser via localhost:80. Note that the destination is always resolved on the other side of the tunnel.
  • TIP: To make a PuTTY shortcut with an automatically login, create one and append the saved session with an @ sign, for example call PuTTY with: putty.exe @OpenWrt-Session
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/security/dropbear.public-key.auth.txt · Last modified: 2020/10/03 22:46 by vgaetera