Hello folks,

after some tries I decided to ask here:
does the dropbear build found on http://openwrt.ksilebo.net/ipkg support pulic key authentication? If so, where to put authorized_keys and what type should the keys be of? I tried rsa and dsa in several directories, including ~/.ssh, to no avail.

Hi,

Dropbear does support it.
Check yor home directory of root in /etc/passwd in standrd openwrt it is /tmp/

Then put your authorized_keys file in /tmp/.ssh/ as usual.

Mine start with ssh-rsa and is working.

Greetings,
Fabe

That's exactly what I tried first. Well, for some reason, it does not work for me - dropbear does not accept PK authentication.

Any ideas on how to troubleshoot this situation? Dropbear seems to be compiled without logging support, at least it does not write any messages to the log or anywhere else.

See if roots home and all directories above (including /) are owned by root. Some packages change the owner of /, which prevents dropbear from working.

Simply try a "chown root:root /" and see if it helps.

Well, to close the discussion, I found a way how to get it to work:

- keys must be DSA
- the ~/.ssh directory has to be chmod 700
- authorized_keys and authorized_keys2 must be present
- the key files must be chmod 600

the ~/.ssh directory may be a symlink, as well as the key files, so what I did was

[precreate id_dsa and id_dsa.pub by ssh-keygen -t dsa and copy id_dsa.pub to the OpenWRT box]

mkdir /etc/.ssh
chmod 700 /etc/.ssh
cp id_dsa.pub /etc/.ssh/authorized_keys
chmod 600 /etc/.ssh/authorized_keys

ln -s /etc/.ssh/authorized_keys /etc/.ssh/authorized_keys2

echo -e "#!/bin/sh\n\nln -s /etc/.ssh /tmp/.ssh">/etc/init.d/S55sshpubkeyfix

chmod 755 /etc/init.d/S55sshpubkeyfix

I have the following permissions, and it works fine (using DSA-keys):

wrt45g [~]# ls -ald / /root /root/.ssh /root/.ssh/*
drwxr-xr-x    1 root     root            0 Jul  4 12:13 /
drwxr-xr-x    1 root     root            0 Jul  2 18:31 /root
drwxr-xr-x    1 root     root            0 Jul  2 18:14 /root/.ssh
-rw-r--r--    1 root     root          607 Jan  1  2000 /root/.ssh/authorized_keys
lrwxrwxrwx    1 root     root           17 Jul  2 18:14 /root/.ssh/known_hosts -> /tmp/.known_hosts

If you use OpenSSH to log into your WRT, it's very simple. Log in to your box with the following command:

ssh -v <OpenWRT Box>

and your OpenSSH client should tell you, what dropbear doesn't like. The dropbear binary is complied (at least mine is) with logging so stderr. If you modify the S50services like this:

/usr/bin/dropbear 2>/tmp/dropbear.log

you will get dropbear logging in /tmp/dropbear.

Just in case someone wants a new host-key already inside the bin images, for example when building multiple images:

my customize.mk:

CUST_DIR:=$(SOURCE_DIR)/customize
ROOT_DIR:=$(BUILD_DIR)/root

customize:
        cp -af $(CUST_DIR)/* $(ROOT_DIR)/
        rm -f $(CUST_DIR)/etc/dropbear/dropbear_dss_host_key
        dropbearkey -t dss -f $(CUST_DIR)/etc/dropbear/dropbear_dss_host_key

Note that the current OpenWRT now expects the authorized_keys file in /etc/dropbear.  I'm putting this here because when I searched Google for "authorized_keys openwrt", this page came up first.  Hopefully the next person to do this will find this updated information. 

Of course the current docs also give this information.  Oops. 

  http://wiki.openwrt.org/OpenWrtDocs/Configuration

Yeah.  Me too.  The documentation mentioned above is now a broken link.  If anyone has a copy or reference to the equivalent documentation anywhere else, I'd appreciate it.  Sadly, Kamikaze has no hope of supporting remote flashing, so it's of no use to me, and I still need to maintain a bunch of WRTs.

The page is now found at http://oldwiki.openwrt.org/OpenWrtDocs( … ation.html
linking to http://oldwiki.openwrt.org/DropbearPubl … Howto.html for the dropbear config

I don't understand what's so difficult about maintaining stable URIs, but it's obviously not important to this project....

Bjørn