OpenWrt Forum Archive

Topic: [Howto] Dropbear with public key authentication

The content of this topic has been archived on 30 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Dropbear with public key authentication

1. Create a public key pair on your Linux box

ssh-keygen -t dsa

2. Transmit the public key to your OpenWrt router with scp

scp ~/.ssh/id_dsa.pub root@192.168.1.1:/tmp

3. Create the authorized_keys file

cd /etc/dropbear
cat /tmp/id_*.pub >> authorized_keys
chmod 0600 authorized_keys

4. Connect to the OpenWrt router with the public key

ubuntu@ubuntu-laptop:~$ ssh root@192.168.1.1

5. Disable password logins (using UCI)

uci set dropbear.cfg1.PasswordAuth=off
uci commit dropbear && reboot

To change dropbear's default port do:

uci set dropbear.cfg1.Port=<port_num>
uci commit dropbear && reboot

(Last edited by forum2006 on 21 Jul 2007, 13:24)

I would like to expand a little on Point 1, the creation of DSA keys.

I normally have logcheck process my logs, and it does so hourly via cron as the logcheck user. 

The logcheck user is a virtual user, it exists solely to own some files, and to be a user to process logs.  In the /etc/passwd file, it shows that the login shell that logcheck gets is /bin/false.  The postgres user is one which can get a shell, but can never login (no passwords are accepted).  To do work as the postgres user, the root user needs to 'su' to the postgres user.  This same process doesn't work with the logcheck user, as the login shell is /bin/false.

While there are other ways to accomplish key generation, what I did was run the 'chsh' program to give logcheck a real shell.  The root user could then 'su' to the logcheck user.  The home directory for logcheck is defined to be /var/lib/logcheck, which is fine for what needs to be done.  As noted in the original posting, you run the ssh-keygen program for DSA keys (-t dsa).  Don't use a passphrase (just hit return, twice I believe).  All dsa keys are the same size, so you don't get asked anything about that.  As mentioned above, copy this newly created dsa pub key to the OpenWRT device, and then append that file to the authorized_keys file for dropbear.  Stop being the logcheck user by exiting the shell logcheck is running (exit should work, a single Control-D is end-of-file, which is what I normally do).  Finally, run 'chsh' again (as the root user now), to change the login shell for logcheck back to /bin/false.

This should allow cron processes run by the logcheck user to login to OpenWRT using public key authentication using SSH2.

The discussion might have continued from here.