I would like to expand a little on Point 1, the creation of DSA keys.
I normally have logcheck process my logs, and it does so hourly via cron as the logcheck user.
The logcheck user is a virtual user, it exists solely to own some files, and to be a user to process logs. In the /etc/passwd file, it shows that the login shell that logcheck gets is /bin/false. The postgres user is one which can get a shell, but can never login (no passwords are accepted). To do work as the postgres user, the root user needs to 'su' to the postgres user. This same process doesn't work with the logcheck user, as the login shell is /bin/false.
While there are other ways to accomplish key generation, what I did was run the 'chsh' program to give logcheck a real shell. The root user could then 'su' to the logcheck user. The home directory for logcheck is defined to be /var/lib/logcheck, which is fine for what needs to be done. As noted in the original posting, you run the ssh-keygen program for DSA keys (-t dsa). Don't use a passphrase (just hit return, twice I believe). All dsa keys are the same size, so you don't get asked anything about that. As mentioned above, copy this newly created dsa pub key to the OpenWRT device, and then append that file to the authorized_keys file for dropbear. Stop being the logcheck user by exiting the shell logcheck is running (exit should work, a single Control-D is end-of-file, which is what I normally do). Finally, run 'chsh' again (as the root user now), to change the login shell for logcheck back to /bin/false.
This should allow cron processes run by the logcheck user to login to OpenWRT using public key authentication using SSH2.
