OpenWrt Forum Archive

Topic: openssh vs dropbear

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

hey all, I've got a question about keyfiles produced by dropbear (eck!). 

I have openwrt 0.9 installed with all the latest packages I can find.  I also have an off-site server that employs the rsync utility under windows to upload data.  I've created rsa keyfiles and successfully automated my backups by adding their keys to the authorized_keys file on the off-site server.  However, when attempting to add the dropbear keyfile, it's not in the right format.  It doesn't produce a usable keyfile with the openssh system the rsync server uses.

So I've battled back and forth with this for a while, trying to use dropbearconvert, copying the text output to a .txt file and using

cat untitled.txt >> authorized_keys

To no avail.  I'm almost about to give up hope that this is possible with the fact openwrt uses dropbear instead of openssh.  Does anyone know how to get this to work or perhaps has had an experience similar to mine? (Or for that matter, know of a forum somewhere where there is a solution?)

i've googled this and come up with nothing, maybe it was my keywords...

It also could be that I don't have my keyfile created by dropbear in the right place! Where do I need to place the keyfile on my end for this to work without me having to enter a password to login every time?

I feel like this topic is a shunned subject.  I can't find anything related to what I'm trying to do in the forums or googled, this seems to be an on-going error other people have posted about before but no one has resolved.  I am trying to ssh to my router from my pc, then *from* the router to another off-site server that uses openssh.  The reason behind this is I need to fingerprint my router so it can login to the off-site without the need for a password, similar to how you would if you wanted to login to the router from your pc.

I have no /etc/ssh folder, /etc/dropbear has some files in it that I'm not sure how to modify or even use for that matter...

I've installed the openssh packages but found no documentation as to where they create files, what utilities are inside the package, etc.
Obviously I'm new to this whole idea of packages.  Could anyone point me in the right direction? Anyone?

Correct me if I'm wrong, but that appears to be a documentation file on how to login to your *router* from your *pc* without a password...

I'm not trying to connect to my router without a password, I'm trying to connect from the router to another server off-site.

Alright, so normally this is what I would do on a Windows machine so I can clarify a little better (this is directly from the server's documentation):

1. Log in, on your local system, AS THE USER you wish to make passwordless ssh connections

2. run the following:

    ssh-keygen -t rsa

    Accept the defaults - do not change the filenames or file locations
    It is very important that the resultant private and public keys reside in your
    home directories .ssh directory, or ~/.ssh (which is the default)

    DO NOT enter a passphrase - just hit enter twice, leaving an empty passphrase.

3. Upload your public key to your filesystem:

    scp ~/.ssh/

    DO NOT change the permissions on the uploaded file, before or after the upload
    DO NOT change the permissions on your home directory, or your .ssh directory
    NOTE: 1234@usw-s017 is most certainly NOT your login ID or hostname - please change them.

4. Test that your key works by ssh'ing to your filesystem (from your local system, as the
   user who created/uploaded the key):


    You should not be asked for a password

Now, this has worked flawlessly for every Windows machine I've done this on.  However, my company utilizes smaller scale lighttpd servers and we wish to back up the web files to our file server.  Unfortunately, they use openssh and openwrt comes with the default of dropbear (eck).  The above steps are used for the first public key added, and below here is where they talk about multiple keys.

1. For the first user on the first computer system, follow the instructions above exactly.

2. For each subsequent user (possibly on different computer systems), replace step #3 above with
   this instead:

    Download the authorized_keys file from your account to the system you are working on:

        scp ~/.ssh

    APPEND your newly created public key to the just-downloaded authorized_keys file:

        cat ~/.ssh/ >> ~/.ssh/authorized_keys

    Re-upload the authorized_keys file to your account:

        scp ~/.ssh/authorized_keys

    Optionally, you may now delete the local copy of authorized_keys you just downloaded:

        rm -rf ~/.ssh/authorized_keys

    This will overwrite the remote copy with the new, just-appended copy.  At this point you
    may also safely delete the authorized_keys file on your local system, as it is not needed.

3. Repeat this process for each user until you have a fully populated authorized_keys file in your


Since I've already said I'm not savvy with keyfiles and don't understand much more than how to follow these directions here... dropbearconvert seems to produce unusable ssh keyfiles and dropbearkey only creates a private keyfile while outputting the public on the screen (stupid IMO), I'm stuck.

So for future reference in case anyone else comes across this same problem, this is what I've done:

I've used dropbearkey -t rsa -f id_rsa to create a dropbearkey.  It prints the public key on the screen instead of in another file (stupid, IMO).  I copy the public key with CTRL+C, paste it into a .txt file in Windows (because openwrt does not support pasting into an open vi session).  I used cat txt.txt >> authorized_keys (from the server in question), used winscp to upload the authorized_keys file to the server, and then used dropbearconvert to convert the private key to openssh format.

I have the private key in /etc/.ssh/ because I don't know where else to put it, and it still fails to accept my connection without prompting me for a password.  I've tried to -NOT- use dropbearconvert, I've tried creating a key on my windows machine (which wouldn't work, but nothing else did) and catting it, etc. following the whole process, I've tried using DSA instead of RSA (which wouldn't work).

So, it seems as if connecting to an openssh server from an openwrt router without being prompted for a password just isn't possible.  I've contacted the server and inquired as to how to do this, and they've never had issues with someone using dropbear before.  They asked me whether or not I could use an openssh utility to create my keyfile, and I said I don't know -- the packages don't come with a manual or anything and the scripts/programs I've found on my router by cd'ing into every directory seem to lack any sort of keygen utility. 

Oh, and uninstalling dropbear locked me out of my router, causing me to reflash due to a port 22 refusal when I ssh in.  Telnet did not work, neither did RAW.  I -DID- have web admin console access, and that's the only reason I was able to still re-flash.

So I guess my final questions before I give up this project are:

(1) Do I have my private keyfile in the correct spot? (/etc/.ssh/)
(2) IS there a keygen utility inside the ipkg 'openssh-client-utils' that will create a keyfile?
(3) Is there any manual page besides the wiki linked above that details the contents of these openssh packages available?

Thank you for your time, obviously I'm hitting my head on the wall and its starting to get bloody.

So I've converted my dropbear_rsa_host_key inside the /etc/dropbear/ folder to openssh which didn't do squat.  I removed it and replaced it with the generated id_rsa file from earlier (converted from dropbear format), renamed it and still have the same problem.

I tried using ssh -i id_rsa root@host like was mentioned in a previous thread, tried making an alias for it and still get absolutely no changes in what is happening.

I've got my private keyfile (openssh format) in these locations:


Still nothing.

OpenWrter wrote:

I tried using ssh -i id_rsa root@host like was mentioned in a previous thread, tried making an alias for it and still get absolutely no changes in what is happening.

Here's what works for me on RC5:

- Use dropbearkey to generate a key:

root@OpenWrt:~# dropbearkey -t rsa -f id_rsa
Will output 1024 bit rsa secret key to 'id_rsa'
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3Nza[...]
Fingerprint: md5 ca:e8:f0:b7:f6:7b:c2:b6:b9:71:e4:45:86:a9:ff:b8

- Copy and paste the key (I left off the fingerprint) on the server into ~/.ssh/authorized_keys.  Make sure this is a single line in this file, i.e. your editor does not automatically insert a line break.
- From the router, ssh with -i:

root@OpenWrt:~# ssh -i id_rsa roy@
Last login: Sat Aug 11 09:49:26 2007 from

roy@localhost ~


Yeah, that worked.  I had tried this before but must have had the id_rsa file in the wrong place.

For anyone who's having the same problem that I've had above, rhash has the right idea.  Copy and paste the printed ssh-rsa key into your authorized_keys file (on whatever box you want, could be windows, could be linux), re-upload it to the openssh server and use

ssh -i id_rsa root@host

to login.

The discussion might have continued from here.