Dropbear key-based authentication

  • Provide key-based authentication for Dropbear.
    • Harden security by disabling password authentication.

Manage Dropbear keys using web interface.

  1. Navigate to LuCI → System → Administration → SSH-Keys.
  2. Copy-paste your public key and click the Add key button.

Manage Dropbear keys using command-line interface. Add your public key to the router using ssh-copy-id.

ssh-copy-id root@openwrt.lan

Generate a new authentication key if required.

Log in your router using command-line interface. Verify that it does not ask you for a password.

ssh root@openwrt.lan

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dropbear restart
 
# Log and status
logread -e dropbear; netstat -l -n -p | grep -e dropbear
 
# Runtime configuration
pgrep -f -a dropbear
 
# Persistent configuration
uci show dropbear; ls -l /etc/dropbear; cat /etc/dropbear/authorized_keys

Generate a new authentication key using ssh-keygen.

# Generate a new key pair, 3072-bit RSA by default
ssh-keygen
 
# Generate a key with custom type and length
ssh-keygen -t rsa -b 4096

Keep your software up-to-date to safely rely on the cryptography-related defaults.

Add authentication keys for the current non-root user.

ssh openwrt.lan "mkdir -p ~/.ssh; tee -a ~/.ssh/authorized_keys" < ~/.ssh/id_rsa.pub

Harden security by disabling password authentication.

uci set dropbear.@dropbear[0].PasswordAuth="0"
uci set dropbear.@dropbear[0].RootPasswordAuth="0"
uci commit dropbear
/etc/init.d/dropbear restart

Rebuild Dropbear with Ed25519 key type support.

cat << EOF >> .config
CONFIG_DROPBEAR_ED25519=y
EOF

Set up the proper permissions.

chmod -R u=rwX,go= /etc/dropbear
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/03/17 20:38
  • by vgaetera