Manage Dropbear keys using web interface.
Manage Dropbear keys using command-line interface. Generate a new authentication key if required.
# Add your public key to the router ssh email@example.com "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub
Log in your router using command-line interface. Verify that it does not ask you for a password.
Collect and analyze the following information.
# Restart services /etc/init.d/log restart; /etc/init.d/dropbear restart # Log and status logread -e dropbear; netstat -l -n -p | grep -e dropbear # Runtime configuration pgrep -f -a dropbear # Persistent configuration uci show dropbear; ls -l /etc/dropbear; cat /etc/dropbear/authorized_keys
Generate a new authentication key.
# Generate a new key pair, 3072-bit RSA by default ssh-keygen # Generate a key with custom type and length ssh-keygen -t rsa -b 4096
Keep your software up-to-date to safely rely on the cryptography-related defaults.
Add authentication keys for the current non-root user.
The keys should be added to
~/.ssh/authorized_keys on the remote host.
Harden security by disabling password authentication.
uci set dropbear.@dropbear.PasswordAuth="0" uci set dropbear.@dropbear.RootPasswordAuth="0" uci commit dropbear /etc/init.d/dropbear restart
Rebuild Dropbear with Ed25519 key type support.
cat << EOF >> openwrt/.config CONFIG_DROPBEAR_ED25519=y EOF
Set up the proper permissions.
chmod -R u=rwX,go= /etc/dropbear
Start PuTTY and do the following:
puttygen.exe. It will provide you with output to be added later to dropbear config file you will need later; you also should save private key for
puTTYconfiguration described later.
/etc/dropbear/authorized_keyson your OpenWrt device.
openwrt.lanor from the WAN my-router.dyndns.org (your registered dynamic DNS name). If you change the port for Dropbear, then also adopt the “Port” statement here. The protocol (“connection type”) is always “SSH”.
OpenWrt-Private-Key.ppkfile you created before). Best is to click “Browse…” and select the file via the file dialog.
OpenWrt-Sessionin Saved Sessions and click the Save button
80and the destination
localhost:80; don't forget to “Add” it. This will allow you to access the router's web interface in your browser via
localhost:80. Note that the destination is always resolved on the other side of the tunnel.
@sign, for example call PuTTY with: