What's new

Tutorial [SOLUTION] Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Tutorial

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

garycnew

Senior Member
The following is an Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Tutorial gleaned from Existing Posts in this Forum (RE: References).

Requirements/Assumptions:

1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Formated JFFS Partition and Enabled JFFS Custom Scripts and Configs
4. Capable of Editing the following User Scripts:
/jffs/configs/post-mount

### Primary Router: Create DropBear Private/Public SSH-Key Pair ###
Code:
$ ssh admin@192.168.0.1
admin@192.168.0.1's password:

# mkdir -p /jffs/.ssh

# dropbearkey -t rsa -f /jffs/.ssh/id_rsa

# dropbearkey -y -f /jffs/.ssh/id_rsa | tail -n2 | head -n1 > /jffs/.ssh/id_rsa.pub

# cp -p /jffs/.ssh/id_rsa /tmp/home/root/.ssh/id_dropbear

### Primary Router: Create post-mount Script to Persist DropBear Private Key ###
Code:
# touch /jffs/scripts/post-mount
# chmod 755 /jffs/scripts/post-mount

# vi /jffs/scripts/post-mount
#!/bin/sh

# Check Whether id_dropbear Private Key Exist
if [ ! -f "/tmp/home/root/.ssh/id_dropbear" ]; then
   /bin/cp -p /jffs/.ssh/id_rsa /tmp/home/root/.ssh/id_dropbear
fi

### Primary Router: Copy/Paste Public Key id_rsa.pub to Advance Settings > Administration > System > Service > Authorized Keys of the Asuswrt-Merlin WebUI ###
Code:
!!! Caution: Ensure that there are no Non-Alphanumerics, New-Lines, Hard-Returns, or Trailing-Spaces in the DropBear Public Key with a limit of 2999 Characters !!!

# cat /jffs/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 admin@gnutech-wap01

# cat /tmp/home/root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 admin@gnutech-wap01

# nvram show | grep -i sshd_authkeys
sshd_authkeys=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 admin@gnutech-wap01

### AiMesh Node: Create .ssh Directories & NVRAM SET sshd_authkeys Variable ###
Code:
# ssh -i /jffs/.ssh/id_rsa admin@192.168.0.11
admin@192.168.0.11's password:

# mkdir -p /tmp/home/root/.ssh
# mkdir -p /jffs/.ssh

!!! Caution: Ensure that there are no Non-Alphanumerics, New-Lines, Hard-Returns, or Trailing-Spaces in the DropBear Public Key with a limit of 2999 Characters !!!
### Note: The Addition of Backslashes in the ssh-rsa Public Key to Escape the Spaces when Setting the NVRAM sshd_authkeys Variable. ###

# nvram set sshd_authkeys=ssh-rsa\ AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7\ admin@gnutech-wap01

# nvram show | grep -i sshd_authkeys
sshd_authkeys=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 admin@gnutech-wap01

# nvram commit
# reboot

### Primary Router: Copy ssh-rsa Public/Private SSH-Key Pair & post-mount Script to AiMesh Node ###
Code:
###cat /jffs/.ssh/id_rsa.pub | ssh admin@192.168.0.11 'cat >> /tmp/home/root/.ssh/authorized_keys'
###admin@192.168.0.11's password:

# scp -p /jffs/.ssh/id_rsa* admin@192.168.0.11:/jffs/.ssh/

# scp -p /jffs/post-mount admin@192.168.0.11:/jffs/scripts/

# scp -p /jffs/.ssh/id_rsa admin@192.168.0.11:/tmp/home/root/.ssh/id_dropbear

# ssh admin@192.168.0.11 'ls -la /jffs/.ssh/'
drwxrwxrwx    2 admin    root             0 Aug 10 20:32 .
drwxr-xr-x   11 admin    root             0 Aug 10 20:32 ..
-rw-------    1 admin    root           805 Aug 10 19:10 id_rsa
-rw-rw-rw-    1 admin    root           401 Aug 10 19:12 id_rsa.pub

# ssh admin@192.168.0.11 'ls -la /jffs/scripts/'
drwxr-xr-x    2 admin    root             0 Aug 10 18:59 .
drwxr-xr-x   11 admin    root             0 Aug 10 21:34 ..
-rwxr-xr-x    1 admin    root           808 Aug 10 20:20 init-start
-rwxr-xr-x    1 admin    root          9116 Aug  3 21:39 post-mount
-rwxr-xr-x    1 admin    root            57 Oct 11  2020 pre-mount
-rwxr-xr-x    1 admin    root            58 Jan 12  2021 services-stop
-rwxr-xr-x    1 admin    root          2027 Aug  9 22:18 torrc.postconf
-rwxr-xr-x    1 admin    root           213 Aug 10 18:59 wan-event

# ssh admin@192.168.0.11 'ls -la /tmp/home/root/.ssh/'
drwx------    2 admin    root            80 Aug 10 21:37 .
drwx------    4 admin    root           120 Aug  7 21:28 ..
-rwx------    1 admin    root           401 Aug 10 19:31 authorized_keys
-rw-------    1 admin    root           805 Aug 10 19:10 id_dropbear

### SSH-Key Based Auth To/From Primary Router & AiMesh Nodes ###
Code:
# ssh -i /jffs/.ssh/id_rsa admin@192.168.0.11
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
admin@RT-AC66U_B1-C293:/tmp/home/root#

OR

# ssh admin@192.168.0.1
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
admin@gnutech-wap01:/tmp/home/root#

### Primary Router: Install dropbearconvert and Convert Dropbear Private Key to OpenSSH Private Key for use on Workstation ###
Code:
# opkg update
# opkg install dropbearconvert
Installing dropbearconvert (2020.81-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/dropbearconvert_2020.81-2_armv7-2.6.ipk
Configuring dropbearconvert.

# /opt/bin/dropbearconvert dropbear openssh /jffs/.ssh/id_rsa /jffs/.ssh/id_openssh

# ls -l /jffs/.ssh/
-rw-------    1 admin    root          1679 Aug 10 22:51 id_openssh
-rw-------    1 admin    root           805 Aug 10 19:10 id_rsa
-rw-rw-rw-    1 admin    root           401 Aug 10 19:12 id_rsa.pub

### Workstation: Copy/Rename OpenSSH Private Key ###
Code:
$ ls -la ~/.ssh/
total 8
drwx------   3 gnutech  staff   102 May 25 06:07 .
drwxr-xr-x+ 20 gnutech  staff   680 Jul 17 06:06 ..
-rw-r--r--   1 gnutech  staff  1454 Jul 23 18:52 known_hosts

$ scp admin@192.168.0.1:/jffs/.ssh/id_openssh ~/.ssh/

$ ls -la ~/.ssh/
total 8
drwx------   3 gnutech  staff   102 May 25 06:07 .
drwxr-xr-x+ 20 gnutech  staff   680 Jul 17 06:06 ..
-rw-------   1 gnutech  staff  1679 Aug 10 23:00 id_openssh
-rw-r--r--   1 gnutech  staff  1454 Jul 23 18:52 known_hosts

$ mv ~/.ssh/id_openssh ~/.ssh/id_rsa

$ ls -la ~/.ssh/
total 8
drwx------   3 gnutech  staff   102 May 25 06:07 .
drwxr-xr-x+ 20 gnutech  staff   680 Jul 17 06:06 ..
-rw-------   1 gnutech  staff  1679 Aug 10 23:00 id_rsa
-rw-r--r--   1 gnutech  staff  1454 Jul 23 18:52 known_hosts

### SSH-Key Based Auth To Primary Router & AiMesh Nodes From Workstation ###
Code:
$ ssh admin@192.168.0.1
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
admin@gnutech-wap01:/tmp/home/root#

OR

$ ssh admin@192.168.0.11
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
admin@RT-AC66U_B1-C293:/tmp/home/root#

Note: Optionally, you can create additional DropBear SSH-Key Pairs and follow this tutorial to add them to the Primary Router and AiMesh Nodes.

Congratulations! You have a successfully working Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Solution.

A BIG "Thank You" to those who Pioneered this Solution (RE: References).

References:
Code:
https://www.snbforums.com/threads/dropbear-ssh-without-remote-password.21070/
https://www.snbforums.com/threads/publickey-authentication-from-asus-merlin-router.36000/
https://www.snbforums.com/threads/how-to-save-private-key-and-ssh-config-file-in-asuswrt-merlin.58372/
https://www.snbforums.com/threads/entering-data-for-ssh-authentication-key-kills-router.14729/
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top