Tutorial [SOLUTION] Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Tutorial

garycnew

Senior Member
The following is an Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Tutorial gleaned from Existing Posts in this Forum (RE: References).

Requirements/Assumptions:

1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Formated JFFS Partition and Enabled JFFS Custom Scripts and Configs
4. Capable of Editing the following User Scripts:
/jffs/configs/post-mount

### Primary Router: Create DropBear Private/Public SSH-Key Pair ###
Code:
$ ssh [email protected]
[email protected]'s password:

# mkdir -p /jffs/.ssh

# dropbearkey -t rsa -f /jffs/.ssh/id_rsa

# dropbearkey -y -f /jffs/.ssh/id_rsa | tail -n2 | head -n1 > /jffs/.ssh/id_rsa.pub

# cp -p /jffs/.ssh/id_rsa /tmp/home/root/.ssh/id_dropbear

### Primary Router: Create post-mount Script to Persist DropBear Private Key ###
Code:
# touch /jffs/scripts/post-mount
# chmod 755 /jffs/scripts/post-mount

# vi /jffs/scripts/post-mount
#!/bin/sh

# Check Whether id_dropbear Private Key Exist
if [ ! -f "/tmp/home/root/.ssh/id_dropbear" ]; then
   /bin/cp -p /jffs/.ssh/id_rsa /tmp/home/root/.ssh/id_dropbear
fi

### Primary Router: Copy/Paste Public Key id_rsa.pub to Advance Settings > Administration > System > Service > Authorized Keys of the Asuswrt-Merlin WebUI ###
Code:
!!! Caution: Ensure that there are no Non-Alphanumerics, New-Lines, Hard-Returns, or Trailing-Spaces in the DropBear Public Key with a limit of 2999 Characters !!!

# cat /jffs/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 [email protected]

# cat /tmp/home/root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 [email protected]

# nvram show | grep -i sshd_authkeys
sshd_authkeys=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 [email protected]

### AiMesh Node: Create .ssh Directories & NVRAM SET sshd_authkeys Variable ###
Code:
# ssh -i /jffs/.ssh/id_rsa [email protected]
[email protected]'s password:

# mkdir -p /tmp/home/root/.ssh
# mkdir -p /jffs/.ssh

!!! Caution: Ensure that there are no Non-Alphanumerics, New-Lines, Hard-Returns, or Trailing-Spaces in the DropBear Public Key with a limit of 2999 Characters !!!
### Note: The Addition of Backslashes in the ssh-rsa Public Key to Escape the Spaces when Setting the NVRAM sshd_authkeys Variable. ###

# nvram set sshd_authkeys=ssh-rsa\ AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7\ [email protected]

# nvram show | grep -i sshd_authkeys
sshd_authkeys=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 [email protected]

# nvram commit
# reboot

### Primary Router: Copy ssh-rsa Public/Private SSH-Key Pair & post-mount Script to AiMesh Node ###
Code:
###cat /jffs/.ssh/id_rsa.pub | ssh [email protected] 'cat >> /tmp/home/root/.ssh/authorized_keys'
###[email protected]'s password:

# scp -p /jffs/.ssh/id_rsa* [email protected]:/jffs/.ssh/

# scp -p /jffs/post-mount [email protected]:/jffs/scripts/

# scp -p /jffs/.ssh/id_rsa [email protected]:/tmp/home/root/.ssh/id_dropbear

# ssh [email protected] 'ls -la /jffs/.ssh/'
drwxrwxrwx    2 admin    root             0 Aug 10 20:32 .
drwxr-xr-x   11 admin    root             0 Aug 10 20:32 ..
-rw-------    1 admin    root           805 Aug 10 19:10 id_rsa
-rw-rw-rw-    1 admin    root           401 Aug 10 19:12 id_rsa.pub

# ssh [email protected] 'ls -la /jffs/scripts/'
drwxr-xr-x    2 admin    root             0 Aug 10 18:59 .
drwxr-xr-x   11 admin    root             0 Aug 10 21:34 ..
-rwxr-xr-x    1 admin    root           808 Aug 10 20:20 init-start
-rwxr-xr-x    1 admin    root          9116 Aug  3 21:39 post-mount
-rwxr-xr-x    1 admin    root            57 Oct 11  2020 pre-mount
-rwxr-xr-x    1 admin    root            58 Jan 12  2021 services-stop
-rwxr-xr-x    1 admin    root          2027 Aug  9 22:18 torrc.postconf
-rwxr-xr-x    1 admin    root           213 Aug 10 18:59 wan-event

# ssh [email protected] 'ls -la /tmp/home/root/.ssh/'
drwx------    2 admin    root            80 Aug 10 21:37 .
drwx------    4 admin    root           120 Aug  7 21:28 ..
-rwx------    1 admin    root           401 Aug 10 19:31 authorized_keys
-rw-------    1 admin    root           805 Aug 10 19:10 id_dropbear

### SSH-Key Based Auth To/From Primary Router & AiMesh Nodes ###
Code:
# ssh -i /jffs/.ssh/id_rsa [email protected]
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
[email protected]_B1-C293:/tmp/home/root#

OR

# ssh [email protected]
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
[email protected]:/tmp/home/root#

### Primary Router: Install dropbearconvert and Convert Dropbear Private Key to OpenSSH Private Key for use on Workstation ###
Code:
# opkg update
# opkg install dropbearconvert
Installing dropbearconvert (2020.81-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/dropbearconvert_2020.81-2_armv7-2.6.ipk
Configuring dropbearconvert.

# /opt/bin/dropbearconvert dropbear openssh /jffs/.ssh/id_rsa /jffs/.ssh/id_openssh

# ls -l /jffs/.ssh/
-rw-------    1 admin    root          1679 Aug 10 22:51 id_openssh
-rw-------    1 admin    root           805 Aug 10 19:10 id_rsa
-rw-rw-rw-    1 admin    root           401 Aug 10 19:12 id_rsa.pub

### Workstation: Copy/Rename OpenSSH Private Key ###
Code:
$ ls -la ~/.ssh/
total 8
drwx------   3 gnutech  staff   102 May 25 06:07 .
drwxr-xr-x+ 20 gnutech  staff   680 Jul 17 06:06 ..
-rw-r--r--   1 gnutech  staff  1454 Jul 23 18:52 known_hosts

$ scp [email protected]:/jffs/.ssh/id_openssh ~/.ssh/

$ ls -la ~/.ssh/
total 8
drwx------   3 gnutech  staff   102 May 25 06:07 .
drwxr-xr-x+ 20 gnutech  staff   680 Jul 17 06:06 ..
-rw-------   1 gnutech  staff  1679 Aug 10 23:00 id_openssh
-rw-r--r--   1 gnutech  staff  1454 Jul 23 18:52 known_hosts

$ mv ~/.ssh/id_openssh ~/.ssh/id_rsa

$ ls -la ~/.ssh/
total 8
drwx------   3 gnutech  staff   102 May 25 06:07 .
drwxr-xr-x+ 20 gnutech  staff   680 Jul 17 06:06 ..
-rw-------   1 gnutech  staff  1679 Aug 10 23:00 id_rsa
-rw-r--r--   1 gnutech  staff  1454 Jul 23 18:52 known_hosts

### SSH-Key Based Auth To Primary Router & AiMesh Nodes From Workstation ###
Code:
$ ssh [email protected]
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
[email protected]:/tmp/home/root#

OR

$ ssh [email protected]
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
[email protected]_B1-C293:/tmp/home/root#

Note: Optionally, you can create additional DropBear SSH-Key Pairs and follow this tutorial to add them to the Primary Router and AiMesh Nodes.

Congratulations! You have a successfully working Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Solution.

A BIG "Thank You" to those who Pioneered this Solution (RE: References).

References:
Code:
https://www.snbforums.com/threads/dropbear-ssh-without-remote-password.21070/
https://www.snbforums.com/threads/publickey-authentication-from-asus-merlin-router.36000/
https://www.snbforums.com/threads/how-to-save-private-key-and-ssh-config-file-in-asuswrt-merlin.58372/
https://www.snbforums.com/threads/entering-data-for-ssh-authentication-key-kills-router.14729/
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top