What's new

Dropbear/ssh without remote password

huotg01

Senior Member
I want to Rsync through a ssh tunnel without entering the remote password.

From my reading, in order to do that I have to generate a pair of RSA keys.
In AsusWRT/Merlin, the ssh engine is called Dropbear, and the program used to generate the key pair is named Dropbearkey.

Code:
dropbearkey -t rsa -f ~/.ssh/id_rsa
will add a file (id_rsa) with the Private key in it. The file is located in the "home/.ssh/" folder. If there is already a id_rsa file in the folder, Dropbearkey will stop on error. You then have to remove the existing file before running again Dropbearkey.

At the same time Dropbearkey will also print on the terminal the Public Key.
We have to copy/paste this key to the remote router, using the AsusWRT GUI, in the field "SSH Authentication key" by going to the Administration menu, System tab. In fact the key will also be "copied" by Asuswrt to the authorized_keys file of the remote root.

That done, I should be able to ssh log on the remote Router with a command like:
Code:
If everything goes well, you will be logged on the remote router. If you are asked to enter the remote password, and then you are logged in the remote after entering it, then it means that your ssh command is ok, but not the keys pairing process.

I read somewhere (https://www.linux-tips.org/article/66/dropbear-rsa-key-problem)
Using public key authentication with dropbear ssh client is a little different from regular openssh clients. Dropbear doesn't lookup users .ssh directory for user's private key. You should expicitly say which private key will be used for session with the -i parameter.
I also found out that this "family" has also a member called dbclient. It can be used to connect to a remote (like ssh) with the command:
Code:
dbclient -i ~/.ssh/id_rsa [email protected]
Therefore you just have to specify where is the private key (option -i). After seeing that, I just replace the dbclient by ssh:
Code:
ssh -i ~/.ssh/id_rsa [email protected]
and it works (quite normal: it's probably just a symlink...).

If you try the same thing without the "-i" option, no luck. You will asked for the remote password. There is an option with dropbear that allows to specify where is the private key file, with the command:
Code:
dropbear  -r ~/.ssh/id_rsa
When trying it I got the errors:
Code:
Dec  2 10:12:35 dropbear[6370]: Failed listening on '22': Error listening: Address already in use
Dec  2 10:12:35 dropbear[6370]: Early exit: No listening ports available.
Anyway, it works when using the option "-i" to specify where is the private key. I'm happy because I will be ok to fire Rsync rocket with the command:
Code:
rsync -avz -e "dbclient -i /home/root/.ssh/id_rsa" /SourceFiles [email protected]:/
Enough for me for today.
Many informations I used today come from http://troy.jdmz.net/rsync/
I will also use that site for the Rsync backup commands.

I someone has/had any success changing the default private key location for Dropbear, or knows where is the configuration file of Dropbear, or knows how to start and stop Dropbear, please add it to this thread.

@opheliagrimm This is not the draft procedure we talked about. I started this thread with a problem, but when describing it, I finally found out an interesting information about Dropbear. That leaded to a bypass, and we no longer have a problem. From now on I will work from the wiki.
 
Last edited:

opheliagrimm

Occasional Visitor
Fantastic job.

Can't wait to try the steps once you're done with the wiki.

Then I can move up to the latest firmware again.
 

Pila

Regular Contributor
I needed ssh to and from the Asus with Merlin fw router for different uses. This post is the best info on the subject I could find.

Original post works but has 2 problems. 1) dropbear never generates id_rsa.pub file, hence, never saves it anywhere. 2) whatever ssh authorisations were done, to the or from the router, all is gone after a reboot. Incoming only are simple do fix (at the end of my post). So, I tweaked the process a bit. Jffs and SSH must be enabled in GUI.

Here is how I got dropbear ssh to work fully, even after a reboot.

Create .ssh folder where it will not get lost
Code:
mkdir /jffs/.ssh/
Create the private key in the above folder. Just hit enter to any questions or do as you need
Code:
dropbearkey -t rsa -f /jffs/.ssh/id_rsa
Create a public key also there
Code:
dropbearkey -y -f /jffs/.ssh/id_rsa | tail -n2 | head -n1 > /jffs/.ssh/id_rsa.pub
Just in case, check id_rsa.pub and verify it contains only the key
Code:
cat /jffs/.ssh/id_rsa.pub
Now let's get connected to a remote device. In my following examples, replace [email protected] with your data. I am lazy, and all of this this is copied from my own documentation :)

If there is no ssh folder at the remote device, create it. If it exists, skip this step. Confirm acceptance and enter password for the remote when asked.
Code:
ssh [email protected] mkdir -p ~/.ssh
Now copy the router's public key there
Code:
cat /jffs/.ssh/id_rsa.pub | ssh [email protected] 'cat >> ~/.ssh/authorized_keys'
Done. To not keep forgetting things, create /jffs/scripts/services-start and enter the following. Then save in Unix file format and make executable. I do such things from Windows with WinSCP and Crimson Editor.
Code:
#!/bin/sh
# /jffs/scripts/services-start
cp /jffs/.ssh/known_hosts /home/root/.ssh/known_hosts
cp /jffs/.ssh/authorized_keys /home/root/.ssh/authorized_keys
From now on, to connect to the remote, enter:
Code:
ssh -i /jffs/.ssh/id_rsa [email protected]
Now, make all authorisations you need, from the router and to the router. When done, copy files to our safe place.
Code:
cp ~/.ssh/known_hosts /jffs/.ssh/known_hosts
cp ~/.ssh/authorized_keys /jffs/.ssh/authorized_keys
Should you add some authorisations at a later time, just copy them again to the jffs with previous commands.

Should someone need only incoming (from other devices to the router) authorisations, they can just make needed connections and then copy and paste the contents of the authorized_keys file to the Router GUI: Administration -> System -> SSH Authentication key. Apparantly, if you enter too many keys here - router reset might be in order.

Why you must be aware of this "half-feature"? Whenever you save this page (regardles of what you did there), it will empty your authorized_keys file. Actually it will fill it with the content of the abovemenioned field, which would normally be empty. Just run a services-start again. Better do it this way than having to handle all ssh manually (ssh off in the WebUI).
 
Last edited:

Marko Polo

Senior Member
Cannot get key authentication to work in Dropbear. I don't wanna tunelling or connecting two routers, I simply wanna connect to router via keypair.
I generated the private key as above, added public key to authorized. As I got it, putting public key to router webgui field SSH Authentication key is equivalent to manual copying as

Code:
dropbearkey -y -f "${KEY_DIR}/id_rsa" | grep "^ssh-rsa " > "${KEY_DIR}/id_rsa.pub"
But I cannot connect. Guacamole requires private key in a text form, but in id_rsa I see only a mess in unknown encoding

Code:
   ssh-rsa     ¸ª{0ã×â¥S/áí¶Ø!Q‰¢>Z;Ø°4P”‚lû4¢rü“’¢‹=Fœ–O,?ÍŪZzXÅ2<kë7¦¿Jà)×ÙÄ•HeoL†S GèŽêŠ/-hvlÄ€ï´Ü/è§fY—HGtó³ir†CCù-\š'Î÷kÁ‚ç5Zµ}ã©›Þúø‰çÐYä[email protected]·ÓÖº@Á D(%}à{Ìã\j¾Ž%öŽDâEZ1ÔÂÍÉÜSÊ·®'^ó"œ(u•`û]_âÏûX0þ%”±A,üéŽ<:'Ý—èhrfÅ#+ xc;tžž›7ßÚEªóµÇ   '<8É Ž=iYÝÃ'*h‰g¼²r~¹ò™ÊhÓ-¬Êžïvßó¯¬É
ÉáŸ[<ú¡NÊn¶Ú>¥ç×sm©Ûúœß>(@Ê!Z†ËåV»^ÙkyéqĆͷ˜Tr½>nmú&¶³$„Ý?V¿v,ÚWú‚Žk\–!³ÜÒ˜)Z•æëÔ‚5µ¼e“ÇœÎþV¹þÿ?>×Ú‚ha#±ö‘v¢p±&#¢Šæ_ÖƧk0ç‘¿,8ߝ¶õæÆú»$sŠÉ‡èbŸjœ    ‰n!,Ätßçõä/›`nó¶`÷ßæöñ$Üí¬«¢—¼\6²çüJÐêÉ<É    ùß¼:cui™”û¥#\    ç
<Ü5TÎ5›”zý’$è@°WùÄ´ÍËY>?"±¤0"
ì©*O.–ž-Q(½p
0»7"öò_CvÃÇlŽ5Æ™½ÿ? ŽY"ˆÊ^A …«VæPÔ;H€‡I¹’Ì4Yìüúú&SEÓ    ½1|_ã¿9tùÃMEàÄÍÕ@Ñ‘;£cüŽ,˜;º
*¼_È©B ðï¢l“XÑ «"ôã…ÎÞ÷ÒØ_P;žÔÜ8¶&؉÷0Ïñ6xy*ÄŽ€pÛµ YÜ+žËð^ôËþÿhƽyN\vÇ ñ¹õ¶{“½
which Guacamole doesn't accept.

If I try to connect via ssh in console it requires passphrase which I didn't set
Code:
[email protected]:~$ ssh -i ~/id_rsa 192.168.1.1 -p 29
Enter passphrase for key '/home/polo/id_rsa':
Any suggestions? Thx.
 

RMerlin

Asuswrt-Merlin dev
Use putty-gen to generate your key.
 

RMerlin

Asuswrt-Merlin dev
Another follow-up question: does Dropbear have ssh-agent or equivalent which allows using config file?
I didn't find ssh-add command or anything similar.
Dropbear does not have any configuration file. It's a very basic ssh daemon.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top