Dropbear/ssh without remote password

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

huotg01

Senior Member
I want to Rsync through a ssh tunnel without entering the remote password.

From my reading, in order to do that I have to generate a pair of RSA keys.
In AsusWRT/Merlin, the ssh engine is called Dropbear, and the program used to generate the key pair is named Dropbearkey.

Code:
dropbearkey -t rsa -f ~/.ssh/id_rsa
will add a file (id_rsa) with the Private key in it. The file is located in the "home/.ssh/" folder. If there is already a id_rsa file in the folder, Dropbearkey will stop on error. You then have to remove the existing file before running again Dropbearkey.

At the same time Dropbearkey will also print on the terminal the Public Key.
We have to copy/paste this key to the remote router, using the AsusWRT GUI, in the field "SSH Authentication key" by going to the Administration menu, System tab. In fact the key will also be "copied" by Asuswrt to the authorized_keys file of the remote root.

That done, I should be able to ssh log on the remote Router with a command like:
Code:
If everything goes well, you will be logged on the remote router. If you are asked to enter the remote password, and then you are logged in the remote after entering it, then it means that your ssh command is ok, but not the keys pairing process.

I read somewhere (https://www.linux-tips.org/article/66/dropbear-rsa-key-problem)
Using public key authentication with dropbear ssh client is a little different from regular openssh clients. Dropbear doesn't lookup users .ssh directory for user's private key. You should expicitly say which private key will be used for session with the -i parameter.
I also found out that this "family" has also a member called dbclient. It can be used to connect to a remote (like ssh) with the command:
Code:
dbclient -i ~/.ssh/id_rsa [email protected]
Therefore you just have to specify where is the private key (option -i). After seeing that, I just replace the dbclient by ssh:
Code:
ssh -i ~/.ssh/id_rsa [email protected]
and it works (quite normal: it's probably just a symlink...).

If you try the same thing without the "-i" option, no luck. You will asked for the remote password. There is an option with dropbear that allows to specify where is the private key file, with the command:
Code:
dropbear  -r ~/.ssh/id_rsa

When trying it I got the errors:
Code:
Dec  2 10:12:35 dropbear[6370]: Failed listening on '22': Error listening: Address already in use
Dec  2 10:12:35 dropbear[6370]: Early exit: No listening ports available.

Anyway, it works when using the option "-i" to specify where is the private key. I'm happy because I will be ok to fire Rsync rocket with the command:
Code:
rsync -avz -e "dbclient -i /home/root/.ssh/id_rsa" /SourceFiles [email protected]:/

Enough for me for today.
Many informations I used today come from http://troy.jdmz.net/rsync/
I will also use that site for the Rsync backup commands.

I someone has/had any success changing the default private key location for Dropbear, or knows where is the configuration file of Dropbear, or knows how to start and stop Dropbear, please add it to this thread.

@opheliagrimm This is not the draft procedure we talked about. I started this thread with a problem, but when describing it, I finally found out an interesting information about Dropbear. That leaded to a bypass, and we no longer have a problem. From now on I will work from the wiki.
 
Last edited:

opheliagrimm

Occasional Visitor
Fantastic job.

Can't wait to try the steps once you're done with the wiki.

Then I can move up to the latest firmware again.
 

Pila

Regular Contributor
I needed ssh to and from the Asus with Merlin fw router for different uses. This post is the best info on the subject I could find.

Original post works but has 2 problems. 1) dropbear never generates id_rsa.pub file, hence, never saves it anywhere. 2) whatever ssh authorisations were done, to the or from the router, all is gone after a reboot. Incoming only are simple do fix (at the end of my post). So, I tweaked the process a bit. Jffs and SSH must be enabled in GUI.

Here is how I got dropbear ssh to work fully, even after a reboot.

Create .ssh folder where it will not get lost
Code:
mkdir /jffs/.ssh/

Create the private key in the above folder. Just hit enter to any questions or do as you need
Code:
dropbearkey -t rsa -f /jffs/.ssh/id_rsa

Create a public key also there
Code:
dropbearkey -y -f /jffs/.ssh/id_rsa | tail -n2 | head -n1 > /jffs/.ssh/id_rsa.pub

Just in case, check id_rsa.pub and verify it contains only the key
Code:
cat /jffs/.ssh/id_rsa.pub

Now let's get connected to a remote device. In my following examples, replace [email protected] with your data. I am lazy, and all of this this is copied from my own documentation :)

If there is no ssh folder at the remote device, create it. If it exists, skip this step. Confirm acceptance and enter password for the remote when asked.
Code:
ssh [email protected] mkdir -p ~/.ssh

Now copy the router's public key there
Code:
cat /jffs/.ssh/id_rsa.pub | ssh [email protected] 'cat >> ~/.ssh/authorized_keys'

Done. To not keep forgetting things, create /jffs/scripts/services-start and enter the following. Then save in Unix file format and make executable. I do such things from Windows with WinSCP and Crimson Editor.
Code:
#!/bin/sh
# /jffs/scripts/services-start
cp /jffs/.ssh/known_hosts /home/root/.ssh/known_hosts
cp /jffs/.ssh/authorized_keys /home/root/.ssh/authorized_keys

From now on, to connect to the remote, enter:
Code:
ssh -i /jffs/.ssh/id_rsa [email protected]

Now, make all authorisations you need, from the router and to the router. When done, copy files to our safe place.
Code:
cp ~/.ssh/known_hosts /jffs/.ssh/known_hosts
cp ~/.ssh/authorized_keys /jffs/.ssh/authorized_keys

Should you add some authorisations at a later time, just copy them again to the jffs with previous commands.

Should someone need only incoming (from other devices to the router) authorisations, they can just make needed connections and then copy and paste the contents of the authorized_keys file to the Router GUI: Administration -> System -> SSH Authentication key. Apparantly, if you enter too many keys here - router reset might be in order.

Why you must be aware of this "half-feature"? Whenever you save this page (regardles of what you did there), it will empty your authorized_keys file. Actually it will fill it with the content of the abovemenioned field, which would normally be empty. Just run a services-start again. Better do it this way than having to handle all ssh manually (ssh off in the WebUI).
 
Last edited:

Marko Polo

Senior Member
Cannot get key authentication to work in Dropbear. I don't wanna tunelling or connecting two routers, I simply wanna connect to router via keypair.
I generated the private key as above, added public key to authorized. As I got it, putting public key to router webgui field SSH Authentication key is equivalent to manual copying as

Code:
dropbearkey -y -f "${KEY_DIR}/id_rsa" | grep "^ssh-rsa " > "${KEY_DIR}/id_rsa.pub"

But I cannot connect. Guacamole requires private key in a text form, but in id_rsa I see only a mess in unknown encoding

Code:
   ssh-rsa     ¸ª{0ã×â¥S/áí¶Ø!Q‰¢>Z;Ø°4P”‚lû4¢rü“’¢‹=Fœ–O,?ÍŪZzXÅ2<kë7¦¿Jà)×ÙÄ•HeoL†S GèŽêŠ/-hvlÄ€ï´Ü/è§fY—HGtó³ir†CCù-\š'Î÷kÁ‚ç5Zµ}ã©›Þúø‰çÐYä[email protected]·ÓÖº@Á D(%}à{Ìã\j¾Ž%öŽDâEZ1ÔÂÍÉÜSÊ·®'^ó"œ(u•`û]_âÏûX0þ%”±A,üéŽ<:'Ý—èhrfÅ#+ xc;tžž›7ßÚEªóµÇ   '<8É Ž=iYÝÃ'*h‰g¼²r~¹ò™ÊhÓ-¬Êžïvßó¯¬É
ÉáŸ[<ú¡NÊn¶Ú>¥ç×sm©Ûúœß>(@Ê!Z†ËåV»^ÙkyéqĆͷ˜Tr½>nmú&¶³$„Ý?V¿v,ÚWú‚Žk\–!³ÜÒ˜)Z•æëÔ‚5µ¼e“ÇœÎþV¹þÿ?>×Ú‚ha#±ö‘v¢p±&#¢Šæ_ÖƧk0ç‘¿,8ߝ¶õæÆú»$sŠÉ‡èbŸjœ    ‰n!,Ätßçõä/›`nó¶`÷ßæöñ$Üí¬«¢—¼\6²çüJÐêÉ<É    ùß¼:cui™”û¥#\    ç
<Ü5TÎ5›”zý’$è@°WùÄ´ÍËY>?"±¤0"
ì©*O.–ž-Q(½p
0»7"öò_CvÃÇlŽ5Æ™½ÿ? ŽY"ˆÊ^A …«VæPÔ;H€‡I¹’Ì4Yìüúú&SEÓ    ½1|_ã¿9tùÃMEàÄÍÕ@Ñ‘;£cüŽ,˜;º
*¼_È©B ðï¢l“XÑ «"ôã…ÎÞ÷ÒØ_P;žÔÜ8¶&؉÷0Ïñ6xy*ÄŽ€pÛµ YÜ+žËð^ôËþÿhƽyN\vÇ ñ¹õ¶{“½
which Guacamole doesn't accept.

If I try to connect via ssh in console it requires passphrase which I didn't set
Code:
[email protected]:~$ ssh -i ~/id_rsa 192.168.1.1 -p 29
Enter passphrase for key '/home/polo/id_rsa':

Any suggestions? Thx.
 

RMerlin

Asuswrt-Merlin dev
Use putty-gen to generate your key.
 

RMerlin

Asuswrt-Merlin dev
Another follow-up question: does Dropbear have ssh-agent or equivalent which allows using config file?
I didn't find ssh-add command or anything similar.

Dropbear does not have any configuration file. It's a very basic ssh daemon.
 

calzor suzay

Regular Contributor
On Pila's solution do I need this on both nodes?

It worked, I bounced the node (not primary) and it went back to prompting for the password

To not keep forgetting things, create /jffs/scripts/services-start and enter the following. Then save in Unix file format and make executable. I do such things from
Code:
#!/bin/sh
# /jffs/scripts/services-start
cp /jffs/.ssh/authorized_keys /home/root/.ssh/authorized_keys
 
Last edited:

calzor suzay

Regular Contributor
Ok if I reboot the node it prompts for the password.
I can then manually run /jffs/scripts/services-start whilst logged on as my admin account, it'll then put the file back and it'll work.

What it won't do is run it by itself at reboot, any idea why, what I need to do?
 

Jeffrey Young

Very Senior Member
Wish I had seen this post before last weekend. Would have saved me a few minutes. I was setting up a script on my AC86U to SSH into my NAS and run a shutdown command when the router got a shutdown command from NUT. Took me a bit to figure out that dropbear does its own thing for keys compared to the mainstream SSH. Thanks to google though, I did get it working.

Great tutorial! Thumbs up for sure.
 

calzor suzay

Regular Contributor
Solved this in the end as per Thread here if anyone picks this up one day when using AiMesh.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top