OpenWrt Forum Archive

Topic: PublicKey authenticated SSH /FROM/ OpenWRT

The content of this topic has been archived on 1 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I'd like to ssh FROM my router to my desktop without using a password so I can script things on the router. I can do the reverse just fine by following the instructions on the wiki.

I've tried adding the contents of `nvram get eou_public_key` to my local ~/.ssh/authorized_keys prefacing it with both ssh-rsa and ssh-dsa and suffixing it with root@OpenWrt, but that doesn't work. I've also tried using dropbearkey on both /etc/dropbear/dropbear_rsa_host_key and dropbear_dsa_host_key to generate the public key using what I believe are my current private keys, but that hasn't worked either.

What has worked is something I'm not too keen on as it requires me to share the private key of a local user account.

I logged in as the samba user (has limited rights) and made an identity file by issuing the command on my desktop:
su samba
ssh-keygen -t rsa

Then I made that identity authorized to access my desktop by doing
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
I then scp'd the ~/.ssh/id_rsa private key file it created to my router.

Then on the router, I had to convert that to a format dropbear would use. Do that with
dropbearconvert openssh dropbear id_rsa /etc/dropbear/samba_identity

I can now ssh, scp, shfsmount, etc into my local computer by using the identity file without worry of plain text passwords:
ssh -i /etc/samba_identity samba@192.168.1.2

Has anone gotten this working without the need for an identity file?

[Edit] Spelling mistake, and confusing sentence

(Last edited by bobpaul on 8 Feb 2006, 22:31)

Hi,

I've been trying to do this also.

In fact you don't need to share the private key of a local user account. Yes, you must have a user account to login from the router, but you can have a private key dedicated to the router.
So,
on the router :
- a private key : generated by dropbear or converted from openssh, stored in '/etc/dropbear/dopbear_rsa_host_key'
- the public key from the _desktop__host_ (ie the one from '/etc/ssh/id_rsa.pub') in '/tmp/.ssh/known_hosts' to avoid the message '...is not a known host...(y/n)?'... I think it is better to store it elsewhere ('/etc/dropbear/') and copy it there at boot time ('/etc/init.d/S50dropbear'), otherwise it will be lost during a reboot.

on the desktop user account :
- the public key from the router in '~/.ssh/authorized_keys'.
you can generate it with dropbear using :

dropbearkey -y -f /etc/dropbear_rsa_host_key | grep ssh-rsa > /tmp/dropbear_rsa_host_key.pub

Then you can add root@$router_hostname at the end of the line so the file looks like 'ssh-rsa $key root@router_hostname'
Just add the content of this file to '~/.ssh/authorized_keys' and your router will be authorized when accessing with 'ssh -i /etc/dropbear/dopbear_rsa_host_key $user@$desktop'

It seems that dropbear doesn't use public key authentication without the '-i' option' in the command line, so it is really needed.

let's go scripting now !

Thanks for this small how-to - it helped me a lot right now...

gojoors wrote:

It seems that dropbear doesn't use public key authentication without the '-i' option' in the command line, so it is really needed.

Yes, but I added an alias for it in /etc/profile:

alias ssh='ssh -i /etc/dropbear/dropbear_rsa_host_key'

or

alias ssh='ssh -i /etc/dropbear/dropbear_dss_host_key'

if you prefere dss :P

with this you can use the ssh command just as if you had your $HOME/.ssh/id-*.pub

ssh user@host

=)

The discussion might have continued from here.