User Tools

Site Tools


docs:guide-user:security:dropbear.public-key.auth

Dropbear public-key authentication HowTo

For overview of public-key authentication read signature authentication.

Short version:

scp ~/.ssh/authorized_keys root@192.168.1.1:/etc/dropbear/ # cp .ssh/id_rsa.pub .ssh/authorized_keys if you don't have one yet.

It does not appear that dropbear supports ssh-ed25519 keys.

Preparation

Install SSH and SCP clients

Install OpenSSH for *nix, PuTTY for Windows. See the links at the end of this document.

Generate the key pair (on your PC)

If you don't have one yet, create it using ssh-keygen. If you use Windows, use puttygen.exe. puttygen.exe will provide you with output to be added later to dropbear config file you will need later; you also should save private key for puTTY configuration described later. puttygen.exe provide various key generation methods but RSA key is most compatible with LEDE ssh server (dropbear).

For low security (fast verification), just use 2048-bits key.

ssh-keygen

If you are concerned about the security, use 4096-bits instead. Since accessing to router via SSH hasn't been hackers' interest, 5120-bits key is high enough for security.

ssh-keygen -b 4096
# or 
ssh-keygen -b 5120

Append public key to authorized_keys (on your OpenWrt device)

Add the public key of your computer to the authorized_keys file on OpenWrt

On your PC:

ssh root@192.168.1.1 "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub

or if you are using Windows to generate keys and your LEDE has nano text editor installed (if not, do opkg install nano), you can paste text provided by PuTTYgen in previous steps, via clipboard in your puTTY SSH session

nano /etc/dropbear/authorized_keys

Key is appended to the /etc/dropbear/authorized_keys file on your OpenWrt device.

authorized_keys for other users than root

If you have created an other user1) you have to put the authorized_keys file into $HOME/.ssh/ to make ssh login work for that user.

Connecting to OpenWrt with Public Key

If you did everything right, you can now login using your key. It will not ask you for a password.

Using the OpenSSH client

$ ssh root@192.168.1.1

Using PuTTY on Windows

Start putty.exe and do the following:

  • Session: In “Host Name” enter the router's DNS name or IP address, e.g. for access from the LAN enter openwrt.lan or from the WAN my-router.dyndns.org (your registered dynamic DNS name). If you change the port for Dropbear, then also adopt the “Port” statement here. The protocol (“connection type”) is always “SSH”.
  • Connection → Data: In the box “Login details” enter the “Auto-login username” which is root.
  • Connection → SSH → Auth: In the box “Authentication Parameters” under “Private key file for Authentication” state the path to your private key file for this connection (e.g. the OpenWrt-Private-Key.ppk file you created before). Best is to click “Browse…” and select the file via the file dialog.
  • Session: Load- save or delete a stored session, enter OpenWrt-Session in Saved Sessions and click the Save button
  • (optional) Connection → SSH → Tunnels: Here you can define tunnels, which offer you the possibility to access services on your router and LAN with exposing them to the internet. The connection will be done through your SSH connection, hence tunnel. Example to access the router's WebIF: Define a “Local” tunnel with the source port 80 and the destination localhost:80; don't forget to “Add” it. This will allow you to access the router's WebIF in your browser via localhost:80. Note that the destination is always resolved on the other side of the tunnel.

TIP: To make a PuTTY shortcut with an automatically login, create one and append the saved session with an @ sign, for example call PuTTY with:

C:\> putty.exe @OpenWrt-Session

Disable password login

For more security you can disable Dropbear's password login.

uci set dropbear.@dropbear[0].PasswordAuth="off"
uci set dropbear.@dropbear[0].RootPasswordAuth="off"
uci commit dropbear
service dropbear restart

See also: Dropbear configuration

Troubleshooting

Set up the proper permissions.

chmod 0700 /etc/dropbear
chmod 0600 /etc/dropbear/authorized_keys

Verify the permissions.

# ls -l -d /etc/dropbear /etc/dropbear/authorized_keys 
drwx------    1 root     root          3488 Aug  5 04:23 /etc/dropbear
-rw-------    1 root     root           390 Aug  5 04:22 /etc/dropbear/authorized_keys

If you think everything is OK but it still does not accept your key, check that you didn't say ssh-dsa when manually converting a multi line SSH2 key file.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/security/dropbear.public-key.auth.txt · Last modified: 2019/08/13 08:59 by vgaetera