Paswordless public key-based SSH login on router with Asus Merlin firmware
Put your public key in /etc/dropbear/authorized_keys
edit:
I originally thought dropbear was not reading ~/.ssh even though it should, so i pointed the default directory /etc/dropbear/. authorized_keys is not there by default so it isn't so obvious.
rereading the question i realized you were confusing host keypairs with login keypairs.
you need to accept the routers host keypair (/etc/dropbear/dropbear_rsa_host_key) and place your public key on the router in either location' authorized_keys file and you should be good to go.
Related videos on Youtube
05 : 48
16 : 13
01 : 44
03 : 53
03 : 54
noseratio
Dad, self-employed, problem solver at heart. Formerly a principal software engineer at Nuance Communications. Async all the way down with .NET, Node.js, Electron.js, WebView2, WebRTC, PDFium, Google Speech API and more. Nozillium.com, Twitter, LinkedIn, GitHub, Dev.to Video: My .NET Conf 2020 talk on Asynchronous coroutines with C# Tool: #DevComrade, for pasting unformatted text in Windows by default, systemwide Blog: A few handy JavaScript tricks Tool: wsudo, a unix-like sudo CLI utility for Windows, Powershell-based Blog: Why I no longer use ConfigureAwait(false) Blog: C# events as asynchronous streams with ReactiveX or Channels Howto: OpenSSH with MFA on OpenWrt 19.07.x using Google Authenticator Why doesn't await on Task.WhenAll throw an AggregateException? Async/await, custom awaiter and garbage collector StaTaskScheduler and STA thread message pumping How to Unit test ViewModel with async initialization in WPF Keep UI thread responsive when running long task in windows forms Converting between 2 different libraries using the same COM interface Asynchronous WebBrowser-based console web scrapper Thread affinity for async/await in ASP.NET Throttling asynchronous tasks Task sequencing and re-entracy A reusable pattern to convert event into task Task.Yield - real usages? Call async method on UI thread How to make make a .NET COM object apartment-threaded? ... and more!
Updated on September 18, 2022Comments
-
noseratio over 1 year
I'm trying to enable passwordless SSH login on my ASUS RT-AC68U home router which runs version 384.4_2 of Asuswrt-Merlin firmware (the most recent one at the time of posting this). Having read many posts and howtos (including this one), I still can't get it working.
I use PUTTYGEN to generate a pair of RSA-2048 keys, save the public key at
~/.ssh/authorized_keyson the router, then try to connect with PUTTY, which I've limited to RSA only. As PUTTY negotiates the session encryption, it prompts to accept the public key provided by the server. I expect it to be my key from~/.ssh/authorized_keysbut instead I'm always seeing the dropbear's own public key (from/etc/dropbear/dropbear_rsa_host_key). I know it's that one by runningdropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key.The permission for
~/.sshfolder is set to700, for~/.ssh/authorized_keysto600. The key is saved via the router's Web UI in the correct format (i.e.,ssh-rsa AAAA...5iYw== rsa-key-20180401, no line breaks). I tried bothrootandadminas the SSH user. I also tried everything from scratch, after resetting the router to the factory settings, with the same result.Is there anything I'm missing? At this point, I think my only option would be to extract the dropbear's private key from
/etc/dropbear/dropbear_rsa_host_keyand use it instead of generating my own.-
davidgo about 6 yearsExtracting drop ears private key won't help. Have you considered flashing kong dd-wrt. Adding your public keys via the web interface is trivial with that.
-
noseratio about 6 years@davidgo, I haven't tried dd-wrt, but i did try extracting dropbear's private key and use it with putty and it actually works. Just not happy that the private key lives in the router itself.
-
-
Timmy Browne about 6 yearsre reading your question it looks like you are not accepting the dropbear servers host key. Is that correct? your login keypair is different from the host keypair. Unless I'm still misunderstanding, you should accept the host public key, and login without a password via your public key on the host as an authorized_key.
-
noseratio about 6 yearsthat was it, thank you! Previously the host public key was cached by putty, I guess I once accepted and saved it. Then I forgot it's a legit part of the authentication sequence and rather was expecting my key in the first place there. Now feel pretty stupid :) If you edit your answer and include your comment, I'd be happy to accept it.
-
Timmy Browne about 6 yearsawesome. glad i could help. don't feel dumb, i do stuff like this to myself everyday, its always obvious when someone else is doing it :D
