Dropbear key-based authentication

  • Provide key-based authentication for Dropbear.
    • Harden security by disabling password authentication.

Manage Dropbear keys using web interface.

  1. Navigate to LuCI → System → Administration → SSH-Keys.
  2. Copy-paste your public key and click the Add key button.

read your public key (it's usually in ~./ssh/id_rsa.pub on a linux system) and add it to /etc/dropbear/authorized_keys

Add your public key to the router using ssh-copy-id.

ssh-copy-id -f root@openwrt.lan < /dev/null

Generate a new authentication key if necessary.

Use ssh to log in your router using command-line interface. Verify that it does not ask you for a password.

ssh root@openwrt.lan

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dropbear restart
 
# Log and status
logread -e dropbear; netstat -l -n -p | grep -e dropbear
 
# Runtime configuration
pgrep -f -a dropbear
 
# Persistent configuration
uci show dropbear; ls -l /etc/dropbear; cat /etc/dropbear/authorized_keys

This is useful if you want to connect with ssh from this device to another device, using public key auth.

dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key

And an example answer is

Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAdrgdftergdsfgdfgdfgdfgdfgdfgdfgJOYPF6nc41DUWDQdRrv8Ihe/zINq5CaFOsysL3LNOg90C9uDYRIp89nq9ydUIrwvjz9r8U/7HFOkLX6YQUevUZHxEyUexhWRSBLbnoQSKLHlB5WhodghdfgdfgdfgdfgdfgdfgfdgdfgfdgdfasdaaedadfasEUxiDTj74l0dqLpCCM1r9BcQd12hvQwfHvbMAcY/7l3Wb5fdAvXI5mMIXXzWPkLhSLHP1Hw1trEmuUeL2rie+WzSjaOGMzVDjOpEaZD0dT7Ib9yDwem8UDMPFuXnNmsUvpxNHakWbw+465uxlyeAzL root@VM-router
Fingerprint: sha1!! ec:66:c1:57:92:c1:ec:66:c1:57:92:c1:c7:9e:71:50:25:65:61:53:dd

You will copy-paste the “public key portion” to the other device's accepted keys

Generate a new authentication key using ssh-keygen.

# Generate a new key pair, 3072-bit RSA by default
ssh-keygen
 
# Generate a new key pair, 256-bit Ed25519
ssh-keygen -t ed25519

Keep your software up-to-date to safely rely on the cryptography-related defaults.

Add authentication keys for the current non-root user.

ssh openwrt.lan "mkdir -p ~/.ssh; tee -a ~/.ssh/authorized_keys" < ~/.ssh/id_ed25519.pub

Harden security by disabling password authentication.

uci set dropbear.@dropbear[0].PasswordAuth="0"
uci set dropbear.@dropbear[0].RootPasswordAuth="0"
uci commit dropbear
/etc/init.d/dropbear restart

Set up the proper permissions.

chmod -R u=rwX,go= /etc/dropbear
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/10/08 20:19
  • by bobafetthotmail