I downloaded the configuration from the router (backup configuration on the original firmware).
Then I unpacked it. The backup_config.bin is basically a zlib compressed, aes encrypted tar file with the router name as key.
So, I go by memory, but you can get the gist:
openssl zlib -d -in config.bin | openssl aes-256-cbc -d -k 'Archer C1200' -out config.tar
tar xf config.tar
You should have two files in the archive, the "certificate" partition and the config partition. The latter is just an XML file, I edited the file to contain "< RemoteSSH >on< /RemoteSSH >" in Dropbear (as I had previously analysed the modified version they ship, thanks to the GPL code they released).
You're done. Now you can enter as admin/your_router_password.
<SysAccountLogin>off</SysAccountLogin>
Is another one. If it's off (default) it uses a custom authentication process where you can only login as admin (it doesn't matter what user you select, you end up logging in as user with UID 1000, and the password is the one stored in LUCI.
If it's on it uses PAM (but the passwords are not the same and if you have a blank system password it doesn't let you login!).
Hope it helps.
EDIT: obviously when "you're done", you have to repack the tar file, recompress it with zlib, encrypt it again, and upload it to the router using "config restore".