1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Dropbear/ssh without remote password

Discussion in 'Asuswrt-Merlin' started by huotg01, Dec 2, 2014.

  1. huotg01

    huotg01 Senior Member

    Joined:
    Feb 3, 2013
    Messages:
    424
    Location:
    Montreal
    I want to Rsync through a ssh tunnel without entering the remote password.

    From my reading, in order to do that I have to generate a pair of RSA keys.
    In AsusWRT/Merlin, the ssh engine is called Dropbear, and the program used to generate the key pair is named Dropbearkey.

    Code:
    dropbearkey -t rsa -f ~/.ssh/id_rsa
    will add a file (id_rsa) with the Private key in it. The file is located in the "home/.ssh/" folder. If there is already a id_rsa file in the folder, Dropbearkey will stop on error. You then have to remove the existing file before running again Dropbearkey.

    At the same time Dropbearkey will also print on the terminal the Public Key.
    We have to copy/paste this key to the remote router, using the AsusWRT GUI, in the field "SSH Authentication key" by going to the Administration menu, System tab. In fact the key will also be "copied" by Asuswrt to the authorized_keys file of the remote root.

    That done, I should be able to ssh log on the remote Router with a command like:
    Code:
    ssh [email protected]
    If everything goes well, you will be logged on the remote router. If you are asked to enter the remote password, and then you are logged in the remote after entering it, then it means that your ssh command is ok, but not the keys pairing process.

    I read somewhere (https://www.linux-tips.org/article/66/dropbear-rsa-key-problem)
    I also found out that this "family" has also a member called dbclient. It can be used to connect to a remote (like ssh) with the command:
    Code:
    dbclient -i ~/.ssh/id_rsa [email protected]
    Therefore you just have to specify where is the private key (option -i). After seeing that, I just replace the dbclient by ssh:
    Code:
    ssh -i ~/.ssh/id_rsa [email protected]
    and it works (quite normal: it's probably just a symlink...).

    If you try the same thing without the "-i" option, no luck. You will asked for the remote password. There is an option with dropbear that allows to specify where is the private key file, with the command:
    Code:
    dropbear  -r ~/.ssh/id_rsa
    When trying it I got the errors:
    Code:
    Dec  2 10:12:35 dropbear[6370]: Failed listening on '22': Error listening: Address already in use
    Dec  2 10:12:35 dropbear[6370]: Early exit: No listening ports available.
    Anyway, it works when using the option "-i" to specify where is the private key. I'm happy because I will be ok to fire Rsync rocket with the command:
    Code:
    rsync -avz -e "dbclient -i /home/root/.ssh/id_rsa" /SourceFiles [email protected]:/ 
    Enough for me for today.
    Many informations I used today come from http://troy.jdmz.net/rsync/
    I will also use that site for the Rsync backup commands.

    I someone has/had any success changing the default private key location for Dropbear, or knows where is the configuration file of Dropbear, or knows how to start and stop Dropbear, please add it to this thread.

    @opheliagrimm This is not the draft procedure we talked about. I started this thread with a problem, but when describing it, I finally found out an interesting information about Dropbear. That leaded to a bypass, and we no longer have a problem. From now on I will work from the wiki.
     
    Last edited: Dec 2, 2014
    Pila likes this.
  2. huotg01

    huotg01 Senior Member

    Joined:
    Feb 3, 2013
    Messages:
    424
    Location:
    Montreal
  3. opheliagrimm

    opheliagrimm Occasional Visitor

    Joined:
    Jan 26, 2014
    Messages:
    20
    Fantastic job.

    Can't wait to try the steps once you're done with the wiki.

    Then I can move up to the latest firmware again.
     
  4. Pila

    Pila Regular Contributor

    Joined:
    Jan 21, 2016
    Messages:
    155
    Location:
    Croatia
    I needed ssh to and from the Asus with Merlin fw router for different uses. This post is the best info on the subject I could find.

    Original post works but has 2 problems. 1) dropbear never generates id_rsa.pub file, hence, never saves it anywhere. 2) whatever ssh authorisations were done, to the or from the router, all is gone after a reboot. Incoming only are simple do fix (at the end of my post). So, I tweaked the process a bit. Jffs and SSH must be enabled in GUI.

    Here is how I got dropbear ssh to work fully, even after a reboot.

    Create .ssh folder where it will not get lost
    Code:
    mkdir /jffs/.ssh/
    Create the private key in the above folder. Just hit enter to any questions or do as you need
    Code:
    dropbearkey -t rsa -f /jffs/.ssh/id_rsa 
    Create a public key also there
    Code:
    dropbearkey -y -f /jffs/.ssh/id_rsa | tail -n2 | head -n1 > /jffs/.ssh/id_rsa.pub 
    Just in case, check id_rsa.pub and verify it contains only the key
    Code:
    cat /jffs/.ssh/id_rsa.pub 
    Now let's get connected to a remote device. In my following examples, replace [email protected] with your data. I am lazy, and all of this this is copied from my own documentation :)

    If there is no ssh folder at the remote device, create it. If it exists, skip this step. Confirm acceptance and enter password for the remote when asked.
    Code:
    ssh [email protected] mkdir -p ~/.ssh 
    Now copy the router's public key there
    Code:
    cat /jffs/.ssh/id_rsa.pub | ssh [email protected] 'cat >> ~/.ssh/authorized_keys' 
    Done. To not keep forgetting things, create /jffs/scripts/services-start and enter the following. Then save in Unix file format and make executable. I do such things from Windows with WinSCP and Crimson Editor.
    Code:
    #!/bin/sh
    # /jffs/scripts/services-start
    cp /jffs/.ssh/known_hosts /home/root/.ssh/known_hosts
    cp /jffs/.ssh/authorized_keys /home/root/.ssh/authorized_keys
    
    From now on, to connect to the remote, enter:
    Code:
    ssh -i /jffs/.ssh/id_rsa [email protected] 
    Now, make all authorisations you need, from the router and to the router. When done, copy files to our safe place.
    Code:
    cp ~/.ssh/known_hosts /jffs/.ssh/known_hosts
    cp ~/.ssh/authorized_keys /jffs/.ssh/authorized_keys
    Should you add some authorisations at a later time, just copy them again to the jffs with previous commands.

    Should someone need only incoming (from other devices to the router) authorisations, they can just make needed connections and then copy and paste the contents of the authorized_keys file to the Router GUI: Administration -> System -> SSH Authentication key. Apparantly, if you enter too many keys here - router reset might be in order.

    Why you must be aware of this "half-feature"? Whenever you save this page (regardles of what you did there), it will empty your authorized_keys file. Actually it will fill it with the content of the abovemenioned field, which would normally be empty. Just run a services-start again. Better do it this way than having to handle all ssh manually (ssh off in the WebUI).
     
    Last edited: Oct 15, 2016
  5. Marko Polo

    Marko Polo Senior Member

    Joined:
    May 23, 2017
    Messages:
    261
    Cannot get key authentication to work in Dropbear. I don't wanna tunelling or connecting two routers, I simply wanna connect to router via keypair.
    I generated the private key as above, added public key to authorized. As I got it, putting public key to router webgui field SSH Authentication key is equivalent to manual copying as

    Code:
    dropbearkey -y -f "${KEY_DIR}/id_rsa" | grep "^ssh-rsa " > "${KEY_DIR}/id_rsa.pub"
    But I cannot connect. Guacamole requires private key in a text form, but in id_rsa I see only a mess in unknown encoding

    Code:
       ssh-rsa     ¸ª{0ã×â¥S/áí¶Ø!Q‰¢>Z;Ø°4P”‚lû4¢rü“’¢‹=Fœ–O,?ÍŪZzXÅ2<kë7¦¿Jà)×ÙÄ•HeoL†S GèŽêŠ/-hvlÄ€ï´Ü/è§fY—HGtó³ir†CCù-\š'Î÷kÁ‚ç5Zµ}ã©›Þúø‰çÐYä[email protected]·ÓÖº@Á D(%}à{Ìã\j¾Ž%öŽDâEZ1ÔÂÍÉÜSÊ·®'^ó"œ(u•`û]_âÏûX0þ%”±A,üéŽ<:'Ý—èhrfÅ#+ xc;tžž›7ßÚEªóµÇ   '<8É Ž=iYÝÃ'*h‰g¼²r~¹ò™ÊhÓ-¬Êžïvßó¯¬É
    ÉáŸ[<ú¡NÊn¶Ú>¥ç×sm©Ûúœß>(@Ê!Z†ËåV»^ÙkyéqĆͷ˜Tr½>nmú&¶³$„Ý?V¿v,ÚWú‚Žk\–!³ÜÒ˜)Z•æëÔ‚5µ¼e“ÇœÎþV¹þÿ?>×Ú‚ha#±ö‘v¢p±&#¢Šæ_ÖƧk0ç‘¿,8ߝ¶õæÆú»$sŠÉ‡èbŸjœ    ‰n!,Ätßçõä/›`nó¶`÷ßæöñ$Üí¬«¢—¼\6²çüJÐêÉ<É    ùß¼:cui™”û¥#\    ç
    <Ü5TÎ5›”zý’$è@°WùÄ´ÍËY>?"±¤0"
    ì©*O.–ž-Q(½p
    0»7"öò_CvÃÇlŽ5Æ™½ÿ? ŽY"ˆÊ^A …«VæPÔ;H€‡I¹’Ì4Yìüúú&SEÓ    ½1|_ã¿9tùÃMEàÄÍÕ@Ñ‘;£cüŽ,˜;º
    *¼_È©B ðï¢l“XÑ «"ôã…ÎÞ÷ÒØ_P;žÔÜ8¶&؉÷0Ïñ6xy*ÄŽ€pÛµ YÜ+žËð^ôËþÿhƽyN\vÇ ñ¹õ¶{“½
    
    which Guacamole doesn't accept.

    If I try to connect via ssh in console it requires passphrase which I didn't set
    Code:
    [email protected]:~$ ssh -i ~/id_rsa 192.168.1.1 -p 29
    Enter passphrase for key '/home/polo/id_rsa':
    
    Any suggestions? Thx.
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    29,068
    Location:
    Canada
    Use putty-gen to generate your key.
     
    Csection likes this.
  7. Marko Polo

    Marko Polo Senior Member

    Joined:
    May 23, 2017
    Messages:
    261
    Thanks, that worked.
     
  8. Marko Polo

    Marko Polo Senior Member

    Joined:
    May 23, 2017
    Messages:
    261
    Another follow-up question: does Dropbear have ssh-agent or equivalent which allows using config file?
    I didn't find ssh-add command or anything similar.
     
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    29,068
    Location:
    Canada
    Dropbear does not have any configuration file. It's a very basic ssh daemon.