ASUS-Merlin Router to AIMesh Nodes - SSH Key Setup: Password(#19)-Passwordless(#16) or use Curl(#30)

[JB_1366]

Im running this script manually on my node, and manually uploading node_upload.txt to my main router. is there a way to automate the process, so i can just run my script on router to use node_upload.txt and apply results? A direct pull of variables would be great, if possible.

 

[Seth Harman]

If you're running Merlin on the node couldn't you write a script that you execute on the router that would SSH into the node, run the script you pasted above, and have the output piped to a local file?

 

[JB_1366]

If you're running Merlin on the node couldn't you write a script that you execute on the router that would SSH into the node, run the script you pasted above, and have the output piped to a local file?

If you have a way, I'm listening. Gemini-AI tried for me for hours, would not ssh-authenticate between routers, and I tried with ssh-key and password. if router could ssh into node, I could bypass script and just pull wireless variables. ASUS might have it locked down.

 

[Seth Harman]

If you have a way, I'm listening. Gemini-AI tried for me for hours, would not ssh-authenticate between routers, and I tried with ssh-key and password. if router could ssh into node, I could bypass script and just pull wireless variables. ASUS might have it locked down.

Cannot ssh to aimesh node

Hi, I have enabled SSH on the main router and can ssh into it. When trying to ssh into any aimesh node, I get a connection refused. Do I need to enable ssh per node separately and if so, how? Thx Markus

www.snbforums.com

Edit: FYI I just used Putty to SSH into my main router and then did command-line SSH to go from there into one of my nodes (main router is Merlin, node is Asus stock firmware), so it does work.

 

[dbell]

I can ssh into router, then from there to node, both running Merlin.

Make sure allow password login is enabled in the SSH config on the router.

 

[Seth Harman]

@r80xcore is using SSH in his VLAN AddOn to pull data from nodes (I believe he's connecting using SSH keys pairs) so I'd suggest sending him a message, he can probably give you guidance on how to do it.

 

[JB_1366]

GROK gave me a ssh program called EXPECT, worked perfectly. i can now extract wireless data on node automatically.

 

[Seth Harman]

GROK gave me a ssh program called EXPECT, worked perfectly. i can now extract wireless data on node automatically.

*** THREAD CLOSED ***

I'd suggest you lay out how you installed expect in case anyone runs across this thread in the future and wants to duplicate what you're doing.

 

[JB_1366]

EDIT: thanks to GROK(EXPECT) & GEMINI(CODING) - all automated.

 

[rung]

I can ssh into router, then from there to node, both running Merlin.

Make sure allow password login is enabled in the SSH config on the router.

Note passwordless ssh login of the nodes is possible but it takes some extra steps such as creating a ssh key pair and then putting the public key in the "Authorized Keys" field in the UI. This info is then distributed to the nodes.

 

[jksmurf]

Note passwordless ssh login of the nodes is possible but it takes some extra steps such as creating a ssh key pair and then putting the public key in the "Authorized Keys" field in the UI. This info is then distributed to the nodes.

Are there any simple steps written down anywhere for this already (I could use AI I guess).

I looked at doing it at one stage and saw it wanted to use an opkg package which I was a bit wary of as I didn’t want to stuff up my entware install, so I never got around to it. The need for it actually passed.

 

[JB_1366]

Are there any simple steps written down anywhere for this already (I could use AI I guess).

I looked at doing it at one stage and saw it wanted to use an opkg package which I was a bit wary of as I didn’t want to stuff up my entware install, so I never got around to it. The need for it actually passed.

I just spent 2hrs with AI, couldnt get it to work.

 

[rung]

Sorry, I can't find reference right now - I created them a while back. But from memory it was something like:

dropbearkey -t rsa
-f ~/.ssh/id_rsa -s 3072

Note you have to save and restore the ~/.ssh directory after reboot since the home directory is in tmp.

 

[jksmurf]

I just spent 2hrs with AI, couldnt get it to work.

OK ta. I asked my AI, might test it later.
Seems relatively straightforward.

 

[rung]

Looks like it does want the private key as id_dropbear though. So need this too:

cp ~/.ssh/id_rsa ~/.ssh/id_dropbear

 

[jksmurf]

I just spent 2hrs with AI, couldnt get it to work.

Try this. Maybe my AI is better than your AI... .

Preliminary Notes:

1. This can be set up on any AiMesh system that has Merlin FW on the MAIN; the nodes can be running either AsusWRT-Merlin or Stock FW.
2. All commands issued from MAIN (SSH using e.g. Putty).
3. For edits of file contents I personally use WinSCP (not available for use with stock FW) and open the file directly in the dir by double-clicking it.

Step 1: Generate the security keys
Can skip if id_dropbear already exists in /jffs/.ssh

dropbearkey -t rsa -f /jffs/.ssh/id_dropbear

• On modern FW, this should generate both id_dropbear AND id_dropbear.pub files.
• It also prints out the full key on the SSH terminal (Putty) screen, along with a "Fingerprint:" line (which is NOT part of the key).
• The full key starts with "ssh-rsa" and ends with "YourUserName@YourRouterName".
• You can save it to a text file at this point (you can still retrieve it later from the file though).

For completeness (only), note that older FW with much older dropbear versions only saves the private key.

• If id_dropbear.pub was NOT created automatically, simply run this second line to extract it:

dropbearkey -y -f /jffs/.ssh/id_dropbear | grep "^ssh-rsa" > /jffs/.ssh/id_dropbear.pub

Step 2: Add the public key (that you saved above) to Main via the WebGUI
Main GUI → Administration → System → Authorized Keys field.
Paste the key and click Apply. Merlin automatically distributes this to all nodes - no manual file copying needed.

Step 3: Add this line to the /jffs/scripts/services-start file on Main

cp /jffs/.ssh/id_dropbear /tmp/home/root/.ssh/id_dropbear

Step 4: Reboot
Reboot Nodes (i.e. issue this from within node ssh session only, NOT Main)

reboot

Or just use the WebGUI AiMesh menu, select Node, Management, Reboot Node.

Step 5: Create known host file
Issue these one at a time on MAIN; answer 'y' to each, as a one-off:

ssh -i /tmp/home/root/.ssh/id_dropbear USERNAME@Node1_IP "uptime"
ssh -i /tmp/home/root/.ssh/id_dropbear USERNAME@Node2_IP "uptime"
ssh -i /tmp/home/root/.ssh/id_dropbear USERNAME@Node3_IP "uptime"
etc...

NOTE: To get your node IP, either look at the UPLINK INFORMATION under the AiMesh, Network menu for the Node or (e.g.) issue:

grep -i "node\|ax86\|ax58" /var/lib/misc/dnsmasq.leases

Where your router is an ax86, ax6000, ax58, be92 or whatever model(s) you have; just modify or continue the list "node\|ax86\|ax58\|ax6000\|be92" etc.

NOTE: If you are not using port 22 for ssh then you must alter the command in step 5 above as follows:

ssh -i /tmp/home/root/.ssh/id_dropbear USERNAME@NodeX_IP -p PORTNUMBER "uptime"

Step 6: Save the generated hosts file to jffs
Once all nodes have been accepted (y), save the generated (normally temporary) "known_hosts" to jffs for persistence over reboots:

cp /tmp/home/root/.ssh/known_hosts /jffs/.ssh/known_hosts

Note: If using WinSCP, click refresh to check the known_hosts file is actually in /jffs/.ssh before issuing the command in the SSH terminal.

Step 7: Add a line to services-start to ensure persistence over reboots (and no y/n prompts on reboots)
Add this line to /jffs/scripts/services-start on Main (below the id_dropbear line you added in step 3):

cp /jffs/.ssh/known_hosts /tmp/home/root/.ssh/known_hosts

That's it, you're done.
HTH (and huge thanks to @rung for the guidance).

k.

==================================================================
Notes only:

• Refer my post below for background of when both keys are generated with one cmd line.
• Refer also my post for background on persistence logic.
• Refer this post from @Untried3868 for background on alternative SSH ports to the default port 22, with thanks.

==================================================================

 

[rung]

Try this. Maybe my AI is better than your AI... . Comamnds below for ease of copy paste.

I am assuming you tried this and it worked for you?

Edit: sorry, grumpy today. Looks like it does!

 

[JB_1366]

Try this. Maybe my AI is better than your AI... . Comamnds below for ease of copy paste.

As regards getting the RSSI values, I have a script which does that by leveraging the individual scripts (which do that) on each node.
You can DM for a copy but you can probably get your AI to write it for your system, using vibe-coding.

Step 1

dropbearkey -t rsa -f /jffs/.ssh/id_dropbear
dropbearkey -y -f /jffs/.ssh/id_dropbear | grep "^ssh-rsa" > /jffs/.ssh/id_dropbear.pub

Step 3

cp /jffs/.ssh/id_dropbear /tmp/home/root/.ssh/id_dropbear

Step 5 (one at a time; answer y as a one-off)

ssh -i /tmp/home/root/.ssh/id_dropbear [email protected] "uptime"
ssh -i /tmp/home/root/.ssh/id_dropbear [email protected] "uptime"
ssh -i /tmp/home/root/.ssh/id_dropbear [email protected] "uptime"

HTH

k.

it worked, thank you!!

 

[JB_1366]

I'd suggest you lay out how you installed expect in case anyone runs across this thread in the future and wants to duplicate what you're doing.

in case someone wants to use a password, install EXPECT through opkg, here is what i used:

#!/bin/sh

set name "name"  ; # admin name
set node_ip "192.168.50.2"  ; # node IP
set password "password"  ; # node password

spawn ssh $name@$node_ip
expect {
  "assword:" { send "$password\r"; exp_continue }
  eof
}
send "for i in wl0 wl1; do\r
      echo \"=== \$i clients ===\"\r
      wl -i \$i assoclist 2>/dev/null | awk '{print \$2}' | while read mac; do\r
        rssi=\$(wl -i \$i rssi \$mac 2>/dev/null || echo \"N/A\")\r
        echo \"  \$mac   RSSI: \$rssi dBm\"\r
      done || echo \"  (no clients)\"\r
    done\r"
expect eof

 

[Seth Harman]

...
spawn ssh $name@$node_ip
expect {
"assword:" { send "$password\r"; exp_continue }
eof
}
...

No one ever expects the assword.