UPDATE: The easiest way to do this is through the web interface (LuCI). System -> Administration -> SSH-Keys. Paste your public key (~/.ssh/id_rsa.pub) and click “Add key”
I’ve been using so many openwrt devices lately I wanted to setup my public ssh key on each device so I can auto login. Also, I can setup a really unfriendly password for the root account that is very secure and use my public key to authenticate. Convenient and secure? What a concept!!
Since this is dropbear and not openssh the typical ~/.ssh/authorized_keys file doesn’t work. Instead you need the authorized_keys file to be in /etc/dropbear/
This is how I do it quickly and efficiently.
Using the ssh-copy-id command to copy your public key to the remote devices authorized_keys. This is the same you would do to copy your public key to your server or such. Thanks to Sam for turning me onto this most valuable tool.
From your local user account (must have a public/private key, see ssh-keygen if you need to generate keys)
$ ssh-copy-id email@example.com
enter current password, the following will display if you entered password correctly
Now try logging into the machine, with "ssh 'firstname.lastname@example.org'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
now ssh to the device and move the authorized_keys to dropbear directory
$ ssh email@example.com firstname.lastname@example.org's password:
root@MyOpenWrt:~# mv /root/.ssh/authorized_keys /etc/dropbear/
verify the permissions are 600
root@MyOpenWrt:~# ls -l /etc/dropbear/ -rw------- 1 root root 394 Apr 24 20:09 authorized_keys
logout and ssh back to 192.168.1.1. This time it will ask for your ssh key passphrase instead of the root password. $ ssh email@example.com
Enter passphrase for key ‘/home/jason/.ssh/id_rsa’:
If you would like to login without ssh asking for your passphrase you can use ssh-agent to store your identity. Use ssh-add to add to ssh-agent.
$ ssh-add Enter passphrase for /home/jason/.ssh/id_rsa:
Now ssh to 192.168.1.1 again, this time it doesn’t ask for a password!
$ ssh firstname.lastname@example.org BusyBox v1.15.3 (2011-11-24 00:44:20 CET) built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M Backfire (10.03.1, r29592) ------------------------ * 1/3 shot Kahlua In a shot glass, layer Kahlua * 1/3 shot Bailey's on the bottom, then Bailey's, * 1/3 shot Vodka then Vodka. --------------------------------------------------- root@MyOpenWrt:~#
You can also do this via the luci web interface. Its actually very easy. Copy your ~/.ssh/id_rsa.pub and paste it into “System” -> “Administration” -> “SSH-Keys” and then “Save & Apply”. Done
Leave a Reply