garycnew
Senior Member
The following is an Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Tutorial gleaned from Existing Posts in this Forum (RE: References).
Requirements/Assumptions:
1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Formated JFFS Partition and Enabled JFFS Custom Scripts and Configs
4. Capable of Editing the following User Scripts:
/jffs/configs/post-mount
### Primary Router: Create DropBear Private/Public SSH-Key Pair ###
### Primary Router: Create post-mount Script to Persist DropBear Private Key ###
### Primary Router: Copy/Paste Public Key id_rsa.pub to Advance Settings > Administration > System > Service > Authorized Keys of the Asuswrt-Merlin WebUI ###
### AiMesh Node: Create .ssh Directories & NVRAM SET sshd_authkeys Variable ###
### Primary Router: Copy ssh-rsa Public/Private SSH-Key Pair & post-mount Script to AiMesh Node ###
### SSH-Key Based Auth To/From Primary Router & AiMesh Nodes ###
### Primary Router: Install dropbearconvert and Convert Dropbear Private Key to OpenSSH Private Key for use on Workstation ###
### Workstation: Copy/Rename OpenSSH Private Key ###
### SSH-Key Based Auth To Primary Router & AiMesh Nodes From Workstation ###
Note: Optionally, you can create additional DropBear SSH-Key Pairs and follow this tutorial to add them to the Primary Router and AiMesh Nodes.
Congratulations! You have a successfully working Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Solution.
A BIG "Thank You" to those who Pioneered this Solution (RE: References).
References:
Requirements/Assumptions:
1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U)
2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19)
3. Formated JFFS Partition and Enabled JFFS Custom Scripts and Configs
4. Capable of Editing the following User Scripts:
/jffs/configs/post-mount
### Primary Router: Create DropBear Private/Public SSH-Key Pair ###
Code:
$ ssh admin@192.168.0.1
admin@192.168.0.1's password:
# mkdir -p /jffs/.ssh
# dropbearkey -t rsa -f /jffs/.ssh/id_rsa
# dropbearkey -y -f /jffs/.ssh/id_rsa | tail -n2 | head -n1 > /jffs/.ssh/id_rsa.pub
# cp -p /jffs/.ssh/id_rsa /tmp/home/root/.ssh/id_dropbear
### Primary Router: Create post-mount Script to Persist DropBear Private Key ###
Code:
# touch /jffs/scripts/post-mount
# chmod 755 /jffs/scripts/post-mount
# vi /jffs/scripts/post-mount
#!/bin/sh
# Check Whether id_dropbear Private Key Exist
if [ ! -f "/tmp/home/root/.ssh/id_dropbear" ]; then
/bin/cp -p /jffs/.ssh/id_rsa /tmp/home/root/.ssh/id_dropbear
fi
### Primary Router: Copy/Paste Public Key id_rsa.pub to Advance Settings > Administration > System > Service > Authorized Keys of the Asuswrt-Merlin WebUI ###
Code:
!!! Caution: Ensure that there are no Non-Alphanumerics, New-Lines, Hard-Returns, or Trailing-Spaces in the DropBear Public Key with a limit of 2999 Characters !!!
# cat /jffs/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 admin@gnutech-wap01
# cat /tmp/home/root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 admin@gnutech-wap01
# nvram show | grep -i sshd_authkeys
sshd_authkeys=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 admin@gnutech-wap01
### AiMesh Node: Create .ssh Directories & NVRAM SET sshd_authkeys Variable ###
Code:
# ssh -i /jffs/.ssh/id_rsa admin@192.168.0.11
admin@192.168.0.11's password:
# mkdir -p /tmp/home/root/.ssh
# mkdir -p /jffs/.ssh
!!! Caution: Ensure that there are no Non-Alphanumerics, New-Lines, Hard-Returns, or Trailing-Spaces in the DropBear Public Key with a limit of 2999 Characters !!!
### Note: The Addition of Backslashes in the ssh-rsa Public Key to Escape the Spaces when Setting the NVRAM sshd_authkeys Variable. ###
# nvram set sshd_authkeys=ssh-rsa\ AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7\ admin@gnutech-wap01
# nvram show | grep -i sshd_authkeys
sshd_authkeys=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUJfB/b5p7qbVIBSLXljtYILnGlwYgl9PrJawkui03Ys3XefJI0SMj8MA10H/BVoWAdfZYkx/MFlVzzIy2oXs3cYwudUCnsXlc8m2GGt8qWgwQgHCFO29MsBWff1s2knd3/Jf9PUJl09hhYmk4yTkSQJf8h79IW9Wd7uWKf4bbn73oF/Ryr4PK/RLJanP9A6aZerVwOrC2e2qc6Q1KNr7P/2u8O8ac2qFHoG1VknQ5QWlW3fK1RPeuviZOr4PO/lx4ZOvNkTJRFq0jXlWg65ss0QRjNJ193Jsoz2VtxtI58Uw6n3Hd5wYYzyZ06hr5uBm/QaCRC0opGkRl3VSBuQC7 admin@gnutech-wap01
# nvram commit
# reboot
### Primary Router: Copy ssh-rsa Public/Private SSH-Key Pair & post-mount Script to AiMesh Node ###
Code:
###cat /jffs/.ssh/id_rsa.pub | ssh admin@192.168.0.11 'cat >> /tmp/home/root/.ssh/authorized_keys'
###admin@192.168.0.11's password:
# scp -p /jffs/.ssh/id_rsa* admin@192.168.0.11:/jffs/.ssh/
# scp -p /jffs/post-mount admin@192.168.0.11:/jffs/scripts/
# scp -p /jffs/.ssh/id_rsa admin@192.168.0.11:/tmp/home/root/.ssh/id_dropbear
# ssh admin@192.168.0.11 'ls -la /jffs/.ssh/'
drwxrwxrwx 2 admin root 0 Aug 10 20:32 .
drwxr-xr-x 11 admin root 0 Aug 10 20:32 ..
-rw------- 1 admin root 805 Aug 10 19:10 id_rsa
-rw-rw-rw- 1 admin root 401 Aug 10 19:12 id_rsa.pub
# ssh admin@192.168.0.11 'ls -la /jffs/scripts/'
drwxr-xr-x 2 admin root 0 Aug 10 18:59 .
drwxr-xr-x 11 admin root 0 Aug 10 21:34 ..
-rwxr-xr-x 1 admin root 808 Aug 10 20:20 init-start
-rwxr-xr-x 1 admin root 9116 Aug 3 21:39 post-mount
-rwxr-xr-x 1 admin root 57 Oct 11 2020 pre-mount
-rwxr-xr-x 1 admin root 58 Jan 12 2021 services-stop
-rwxr-xr-x 1 admin root 2027 Aug 9 22:18 torrc.postconf
-rwxr-xr-x 1 admin root 213 Aug 10 18:59 wan-event
# ssh admin@192.168.0.11 'ls -la /tmp/home/root/.ssh/'
drwx------ 2 admin root 80 Aug 10 21:37 .
drwx------ 4 admin root 120 Aug 7 21:28 ..
-rwx------ 1 admin root 401 Aug 10 19:31 authorized_keys
-rw------- 1 admin root 805 Aug 10 19:10 id_dropbear
### SSH-Key Based Auth To/From Primary Router & AiMesh Nodes ###
Code:
# ssh -i /jffs/.ssh/id_rsa admin@192.168.0.11
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
admin@RT-AC66U_B1-C293:/tmp/home/root#
OR
# ssh admin@192.168.0.1
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
admin@gnutech-wap01:/tmp/home/root#
### Primary Router: Install dropbearconvert and Convert Dropbear Private Key to OpenSSH Private Key for use on Workstation ###
Code:
# opkg update
# opkg install dropbearconvert
Installing dropbearconvert (2020.81-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/dropbearconvert_2020.81-2_armv7-2.6.ipk
Configuring dropbearconvert.
# /opt/bin/dropbearconvert dropbear openssh /jffs/.ssh/id_rsa /jffs/.ssh/id_openssh
# ls -l /jffs/.ssh/
-rw------- 1 admin root 1679 Aug 10 22:51 id_openssh
-rw------- 1 admin root 805 Aug 10 19:10 id_rsa
-rw-rw-rw- 1 admin root 401 Aug 10 19:12 id_rsa.pub
### Workstation: Copy/Rename OpenSSH Private Key ###
Code:
$ ls -la ~/.ssh/
total 8
drwx------ 3 gnutech staff 102 May 25 06:07 .
drwxr-xr-x+ 20 gnutech staff 680 Jul 17 06:06 ..
-rw-r--r-- 1 gnutech staff 1454 Jul 23 18:52 known_hosts
$ scp admin@192.168.0.1:/jffs/.ssh/id_openssh ~/.ssh/
$ ls -la ~/.ssh/
total 8
drwx------ 3 gnutech staff 102 May 25 06:07 .
drwxr-xr-x+ 20 gnutech staff 680 Jul 17 06:06 ..
-rw------- 1 gnutech staff 1679 Aug 10 23:00 id_openssh
-rw-r--r-- 1 gnutech staff 1454 Jul 23 18:52 known_hosts
$ mv ~/.ssh/id_openssh ~/.ssh/id_rsa
$ ls -la ~/.ssh/
total 8
drwx------ 3 gnutech staff 102 May 25 06:07 .
drwxr-xr-x+ 20 gnutech staff 680 Jul 17 06:06 ..
-rw------- 1 gnutech staff 1679 Aug 10 23:00 id_rsa
-rw-r--r-- 1 gnutech staff 1454 Jul 23 18:52 known_hosts
### SSH-Key Based Auth To Primary Router & AiMesh Nodes From Workstation ###
Code:
$ ssh admin@192.168.0.1
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
admin@gnutech-wap01:/tmp/home/root#
OR
$ ssh admin@192.168.0.11
ASUSWRT-Merlin RT-AC68U 384.19_0 Fri Aug 14 19:17:44 UTC 2020
admin@RT-AC66U_B1-C293:/tmp/home/root#
Note: Optionally, you can create additional DropBear SSH-Key Pairs and follow this tutorial to add them to the Primary Router and AiMesh Nodes.
Congratulations! You have a successfully working Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Solution.
A BIG "Thank You" to those who Pioneered this Solution (RE: References).
References:
Code:
https://www.snbforums.com/threads/dropbear-ssh-without-remote-password.21070/
https://www.snbforums.com/threads/publickey-authentication-from-asus-merlin-router.36000/
https://www.snbforums.com/threads/how-to-save-private-key-and-ssh-config-file-in-asuswrt-merlin.58372/
https://www.snbforums.com/threads/entering-data-for-ssh-authentication-key-kills-router.14729/
Last edited: