User Tools

Site Tools


docs:guide-user:services:ssh:openssh.server

OpenSSH (Server Setup)

Modify Dropbear

  1. Enure you have set a root password:
    passwd -a sha256
  2. Change Dropbear port to an unused one and restart Dropbear:
    uci set dropbear.@dropbear[0].Port=2222 && uci commit dropbear && /etc/init.d/dropbear restart
  3. Reconnect via SSH on the newly configured port:
    ssh -p 2222 root@192.168.1.1

Install & Configure

Server

  1. Install OpenSSH & SFTP protocol support [SSHFS]
    opkg update && opkg install openssh-server openssh-sftp-server
  2. Generate server host keys

    Man Page

    create-host-keys.sh
    #!/bin/sh
     
    # Generate 2048 RSA #
    ssh-keygen -o -b 2048 -t rsa -E sha256 -C "OpenWrt OpenSSH Server RSA" -N ''
     
    # Generate ED25519 #
    ssh-keygen -o -t ed25519 -E sha256 -C "OpenWrt OpenSSH Server ED25519" -N ''
     
    # Generate 2048 ECDSA #
    ssh-keygen -o -b 256 -t ecdsa -E sha256 -C "OpenWrt OpenSSH Server ECDSA" -N ''
     
    # Ensure Correct Permissions #
    chmod 700 ~/.ssh
    chmod 400 ~/.ssh/*_key

Client

  1. If not already done so, generate client keys
    1. BSD/Linux:
      create-client-keys.sh
      #!/bin/sh
       
      # Generate 2048 RSA #
      ssh-keygen -o -b 2048 -t rsa -E sha256 -C "OpenWrt OpenSSH Client RSA"
       
      # Generate ED25519 #
      ssh-keygen -o -t ed25519 -E sha256 -C "OpenWrt OpenSSH Client ED25519"
       
      # Generate 2048 ECDSA #
      ssh-keygen -o -b 256 -t ecdsa -E sha256 -C "OpenWrt OpenSSH Client ECDSA"
       
      # Ensure Correct Permissions #
      chmod 700 ~/.ssh
      chmod 600 ~/.ssh/*_key
    2. Windows:

      Win32-OpenSSH

      create-client-keys.cmd
      @echo off
       
      set ids=%UserProfile%\.ssh\ids
      
      :: Make .ssh and ids directories ::
      mkdir %ids%\local %ids%\pub && cd %ids%\local
      
      :: Generate 2048 RSA ::
      ssh-keygen -o -b 2048 -t rsa -E sha256 -C "OpenWrt OpenSSH Client RSA" -f .\openwrt_2r
      
      :: Generate ED25519 ::
      ssh-keygen -o -t ed25519 -E sha256 -C "OpenWrt OpenSSH Client ED25519" -f .\openwrt_2e
      
      :: Generate 2048 ECDSA ::
      ssh-keygen -o -b 256 -t ecdsa -E sha256 -C "OpenWrt OpenSSH Client ECDSA" -f .\openwrt_2ec
      
      :: Move Public Keys ::
      move .\*.pub %ids%\pub
      
      :: Fix Private Key Permissions ::
      icacls %ids% /c /t /inheritance:d
      icacls %ids%  /c /t /remove Administrator BUILTIN\Administrators BUILTIN Everyone System Users
      icacls %ids%\local\* /c /t /grant %username%:F
    3. PuTTY:
      1. Open PuTTYgen
      2. For each below:
        1. Follow the on screen instructions once selecting Generate
        2. Afterwards, provide key with a unique comment
        3. A complex password is recommended, but is user preference
          1. RSA:
            1. RSA and 2048 selected
            2. Generate
          2. ECDSA
            1. ECDSA and nistp256 selected
            2. Generate
          3. ED25519
            1. ED25519 selected
            2. Generate

  2. Once client keys have been generated, their public keys must be added to the router's ~/.ssh/authorized_keys

Configs

sshd_config

Man Page

create-sshd_config.sh
#!/bin/sh
 
# Backup Current Config #
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
 
# Apply New Config #
echo > /etc/ssh/sshd_config && echo '#
 
 ##::[[---  OpenWrt OpenSSH SSHd Config  ---]]::##
 
####################################################
           ##----- Global Options -----##
####################################################
 
 
    # Connection #
#---------------------------------------------------
Port                              = 22
 
AddressFamily                     = inet
 
 
    # Encryption #
#--------------------------------------
Protocol                          = 2
 
AuthorizedKeysFile                = /%u/.ssh/authorized_keys
 
HostKey                           = /%u/.ssh/ssh_host_rsa_key
HostKey                           = /%u/.ssh/ssh_host_ed25519_key
HostKey                           = /%u/.ssh/ssh_host_ecdsa_key
 
 
    # Authentication #
#--------------------------------------
AllowUsers                        = root
AllowGroups                       = root
 
ChallengeResponseAuthentication   = no
PasswordAuthentication            = no
PermitEmptyPasswords              = no
 
StrictModes                       = yes
PubkeyAuthentication              = yes
 
LoginGraceTime                    = 30
 
MaxAuthTries                      = 3
MaxSessions                       = 10
MaxStartups                       = 3:30:10
 
PermitRootLogin                   = prohibit-password
 
 
    # Reliability #
#---------------------------------------------------
ClientAliveCountMax               = 3
ClientAliveInterval               = 600
 
TCPKeepAlive                      = yes
 
UseDNS                            = yes
 
 
 
   # Security #
#--------------------------------------
AllowAgentForwarding              = yes
AllowTcpForwarding                = yes
X11Forwarding                     = yes
 
GatewayPorts                      = clientspecified
PermitTunnel                      = yes
 
Subsystem sftp                    = /usr/lib/sftp-server
 
RekeyLimit                        = 500M 60m
 
 
    # Logging #
#--------------------------------------
PrintLastLog                      = yes
 
SyslogFacility                    = AUTH
LogLevel                          = VERBOSE
 
PidFile                           = /tmp/run/sshd.pid
 
 
    # Ciphers and ReKeying #
#--------------------------------------
FingerprintHash                   = sha256
 
Ciphers                           = aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se
 
HostKeyAlgorithms                 = ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
 
HostbasedAcceptedKeyTypes         = ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
 
KexAlgorithms                     = ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group-exchange-sha256
 
MACs                              = hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
 
PubkeyAcceptedKeyTypes            = ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
' > /etc/ssh/sshd_config

ssh_config

Man Page

create-ssh_config.sh
#!/bin/sh 
 
# Backup Current Config #
cp ~/.ssh/config ~/.ssh/config.bak
 
# Apply New Config #
echo > ~/.ssh/config && echo '#
 
    ##::[[---  OpenWrt OpenSSH Config  ---]]::##
 
####################################################
               ##----- Custom -----##
####################################################
 
UserKnownHostsFile                = ~\.ssh\known_hosts
 
 
####################################################
              ##----- Options -----##
####################################################
 
    # Connection #
#---------------------------------------------------
AddressFamily                     = inet
 
 
    # Encryption #
#---------------------------------------------------
RekeyLimit                        = 500M 60m
 
 
    # Authentication #
#---------------------------------------------------
ChallengeResponseAuthentication   = no
KbdInteractiveAuthentication      = no
PasswordAuthentication            = no
 
PreferredAuthentications          = publickey
PubkeyAuthentication              = yes
AddKeysToAgent                    = ask
 
 
    # Reliability #
#---------------------------------------------------
TCPKeepAlive                      = yes
 
 
    # Security #
#---------------------------------------------------
ForwardAgent                      = yes
ForwardX11                        = yes
 
GatewayPorts                      = no
 
HashKnownHosts                    = yes
StrictHostKeyChecking             = ask
 
 
    # Logging #
#---------------------------------------------------
SyslogFacility                    = AUTH
LogLevel                          = VERBOSE
 
 
    # Environment #
#---------------------------------------------------
 
  # Disabled:
    ## PermitUserRC               = yes
 
 
    # Ciphers and ReKeying #
#---------------------------------------------------
FingerprintHash                   = sha256
 
Ciphers                           = aes128-gcm@openssh.com,aes128-ctr,aes128-cbc,aes192-ctr,aes192-cbc,aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se
 
HostKeyAlgorithms                 = ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
 
HostbasedAcceptedKeyTypes         = ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
 
KexAlgorithms                     = ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group-exchange-sha256
 
MACs                              = hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
 
PubkeyAcceptedKeyTypes            = ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
 
 
####################################################
               ##----- Hosts -----##
####################################################
 
  # Examples:
 
    # WRT1900ACS #
#---------------------------------------------------
#Host                              ACS
#  Hostname                        OpenWrt.LAN
#  Port                            22
#  User                            root
#  IdentityFile                    %d\.ssh\ids\local\%h\%r\WRT1900ACS_2r
 
#Host                              ACSr
#  Hostname                        192.168.1.1
#  Port                            22
#  User                            root
#  IdentityFile                    %d\.ssh\ids\local\%h\%r\WRT1900ACS_2r
 
#Host                              ACSR
#  Hostname                        192.168.1.1
#  Port                            2222
#  User                            user1
#  IdentityFile                    %d\.ssh\ids\local\%h\%r\WRT1900ACS_2r
' > ~/.ssh/config
 
# Link System Wide Config #
ln -s /etc/ssh/config ~/.ssh/config

Enable & Start

  1. Ensure Install & Configure → Client → #2 has been completed

  2. Enable & Start OpenSSH:
    /etc/init.d/sshd enable && /etc/init.d/sshd start
  3. Reconnect to your router via SSH on port 22.
    1. If unable to authenticate, SSH in via Dropbear on port 2222 and check the system log

  4. Finally, reboot and verify OpenSSH works as intended

Disable Dropbear

  1. Only after confirming OpenSSH works without issue following a reboot, disable Dropbear:
    /etc/init.d/dropbear disable && /etc/init.d/dropbear stop

Reinstate SCP Functionality

openssh-server does not provide SCP functionality like dropbear does. If you need this functionality, install the openssh-client package which contains it. Note that you can also choose to use SFTP instead, which is included in the openssh-sftp-server package.

docs/guide-user/services/ssh/openssh.server.txt · Last modified: 2018/07/16 04:13 by ziginox