Dropbear key-based authentication

• This how-to describes the method for setting up key-based authentication for Dropbear.
• Follow SSH access for newcomers to set up key-based authentication for PuTTY.

• Enable key-based authentication for Dropbear for convenience
• Improve security by disabling password authentication

Skip this if you already have a public / private key pair on your client machine that you intend to use to connect to the OpenWrt SSH server.

The ssh-keygen utility can be used to generate a key pair to use for authentication. After you have used this utility, you will have two files, by default ~/.ssh/id_<keytype> (the private key) and ~/.ssh/id_<keytype>.pub (the public key). Always keep your private key (e.g. ~/.ssh/id_<keytype>) secret and secure.

# Generate a new key pair, 3072-bit RSA by default
ssh-keygen

# Generate a new Ed25519 key pair
ssh-keygen -t ed25519

If you wish to SSH from the OpenWRT device, Dropbear needs the keys in a different format to OpenSSH so a different program is used:

dropbearkey -f ~/.ssh/id_dropbear -t rsa -s 2048

By default Dropbear reads ~/.ssh/id_dropbear so putting the private key there may avoid the need to create an SSH configuration file.

Keep your software up-to-date to safely rely on the cryptography-related defaults.

Once your terminal program on your laptop/desktop has a public key, you can forgo entering a password each time you SSH to your device. (This is secure: only your terminal program with the appropriate private key can log in without a password.) First, generate the public and private keys (see above). Then add your PUBLIC key (it's often called id_rsa.pub - it MUST have “.pub” in the filename) to the device.

To do this from LuCI:

1. Navigate to LuCI → System → Administration → SSH-Keys
2. Copy the contents of your public key file. It will be a long string starting with ssh-rsa ... and ending with something like ... some-name@some-host.lan
3. Paste that string into Paste or drag key file... field on the web page
4. Click the Add key button
5. To test: open a new window in your terminal program and enter ssh root@your-router-address You should be logged in without entering your password.

Read your public key (it's usually in ~/.ssh/id_rsa.pub on a linux system) and add it to /etc/dropbear/authorized_keys.

Example:

ssh root@192.168.1.1 "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub

Add your public key to the router using ssh-copy-id.

ssh-copy-id root@openwrt.lan

Generate a new authentication key if necessary.

Use ssh to log in your router using command-line interface, temporarily disabling password authentication to verify that you can login and that it does not ask you for a password:

ssh -o PasswordAuthentication=no root@openwrt.lan

Until you have sucessfully completed this test, it is unwise to disable password authentication on the OpenWrt SSH server as you may lock yourself out.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/dropbear restart
 
# Log and status
logread -e dropbear; netstat -l -n -p | grep -e dropbear
 
# Runtime configuration
pgrep -f -a dropbear
 
# Persistent configuration
uci show dropbear; ls -l /etc/dropbear; cat /etc/dropbear/authorized_keys

Additionally, run your ssh client with maximum verbosity (ssh -vvv) and check the output. If you see something like

send_pubkey_test: no mutual signature algorithm

you might want to try to run the ssh client with the -o PubkeyAcceptedKeyTypes=ssh-rsa option. You can save this setting in your .ssh/config file in an entry dedicated to your router.

This is useful if you want to connect with ssh from this device to another device, using public key auth.

dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key

And an example answer is

Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAdrgdftergdsfgdfgdfgdfgdfgdfgdfgJOYPF6nc41DUWDQdRrv8Ihe/zINq5CaFOsysL3LNOg90C9uDYRIp89nq9ydUIrwvjz9r8U/7HFOkLX6YQUevUZHxEyUexhWRSBLbnoQSKLHlB5WhodghdfgdfgdfgdfgdfgdfgfdgdfgfdgdfasdaaedadfasEUxiDTj74l0dqLpCCM1r9BcQd12hvQwfHvbMAcY/7l3Wb5fdAvXI5mMIXXzWPkLhSLHP1Hw1trEmuUeL2rie+WzSjaOGMzVDjOpEaZD0dT7Ib9yDwem8UDMPFuXnNmsUvpxNHakWbw+465uxlyeAzL root@VM-router
Fingerprint: sha1!! ec:66:c1:57:92:c1:ec:66:c1:57:92:c1:c7:9e:71:50:25:65:61:53:dd

You will copy-paste the “public key portion” to the other device's accepted keys

Add authentication keys for the current non-root user.

ssh openwrt.lan "mkdir -p ~/.ssh; tee -a ~/.ssh/authorized_keys" < ~/.ssh/id_ed25519.pub

Harden security by disabling password authentication.

uci set dropbear.@dropbear[0].PasswordAuth="0"
uci set dropbear.@dropbear[0].RootPasswordAuth="0"
uci commit dropbear
/etc/init.d/dropbear restart

Set up the proper permissions.

chmod -R u=rwX,go= /etc/dropbear