For overview of public-key authentication read signature authentication.
scp ~/.ssh/authorized_keys firstname.lastname@example.org:/etc/dropbear/
# cp .ssh/id_rsa.pub .ssh/authorized_keys if you don't have one yet.
Install OpenSSH for *nix, PuTTY for Windows. See the links at the end of this document.
If you don't have one yet, create it using
ssh-keygen. If you use Windows, use
puttygen.exe will provide you with output to be added later to dropbear config file you will need later; you also should save private key for
puTTY configuration described later.
puttygen.exe provide various key generation methods but RSA key is most compatible with LEDE ssh server (dropbear).
For low security (fast verification), just use 2048-bits key.
If you are concerned about the security, use 4096-bits instead. Since accessing to router via SSH hasn't been hackers' interest, 5120-bits key is high enough for security.
ssh-keygen -b 4096 # or ssh-keygen -b 5120
Add the public key of your computer to the
authorized_keys file on OpenWrt
On your PC:
ssh email@example.com "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub
or if you are using Windows to generate keys and your LEDE has
nano text editor installed (if not, do
opkg install nano), you can paste text provided by
PuTTYgen in previous steps, via clipboard in your
puTTY SSH session
Key is appended to the
/etc/dropbear/authorized_keys file on your OpenWRT device.
If you have created an other user1) you have to put the
authorized_keys file into
$HOME/.ssh/ to make ssh login work for that user.
If you did everything right, you can now login using your key. It will not ask you for a password.
$ ssh firstname.lastname@example.org
putty.exe and do the following:
openwrt.lanor from the WAN my-router.dyndns.org (your registered dynamic DNS name). If you change the port for Dropbear, then also adopt the “Port” statement here. The protocol (“connection type”) is always “SSH”.
OpenWrt-Private-Key.ppkfile you created before). Best is to click “Browse…” and select the file via the file dialog.
OpenWrt-Sessionin Saved Sessions and click the Save button
80and the destination
localhost:80; don't forget to “Add” it. This will allow you to access the router's WebIF in your browser via
localhost:80. Note that the destination is always resolved on the other side of the tunnel.
TIP: To make a PuTTY shortcut with an automatically login, create one and append the saved session with an
sign, for example call PuTTY with:
C:\> putty.exe @OpenWrt-Session
For more security you can disable Dropbear's password login.
root@OpenWrt:~# uci set dropbear.@dropbear.PasswordAuth=off root@OpenWrt:~# uci set dropbear.@dropbear.RootPasswordAuth=off root@OpenWrt:~# uci commit dropbear
See also Dropbear configuration article.
Make sure the
/etc/dropbear directory is
chmoded 0700 and the
/etc/dropbear/authorized_keys file 0600.
root@OpenWrt:~# ls -dl /etc/dropbear/ /etc/dropbear/authorized_keys drwx------ 1 root root 0 Feb 28 00:00 /etc/dropbear/ -rw------- 1 root root 626 Feb 28 00:00 /etc/dropbear/authorized_keys
If mode is not the same for you, do
chmod 0700 /etc/dropbear chmod 0600 /etc/dropbear/authorized_keys
If you think everything is OK but it still does not accept your key, check that you didn't say
ssh-dsa when manually converting a multi line SSH2 key file.