Since version 8.2 OpenSSH is supporting U2F MFA. Here is short guide on how to enable two (or three) factor SSH authentication using physical key (like Yubikey) for accessing OpenWrt console.
- U2F key (second key strongly advised to not get locked out in case of key loss)
- sufficient amount of memory in OpenWrt appliance
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk ssh-copy-id -i ~/.ssh/id_ecdsa_sk root@router_IP
uci set dropbear.@dropbear.Port=2222 uci commit dropbear /etc/init.d/dropbear restart
After that you should be able to reach out to router by:
ssh -p 2222 root@router_IP
opkg update opkg install openssh-server
Change lines on the router /etc/ssh/sshd_config file to:
ListenAddress LAN_IP_of_the_router # optional PasswordAuthentication no
and run following commands:
/etc/init.d/sshd enable /etc/init.d/sshd start
if connection with
ssh root@router_IP works fine with Fido2 key you are ready to disable dropbear:
/etc/init.d/dropbear disable /etc/init.d/dropbear stop
Linux part of setup should be repeated for second key using different file names. Alternatively backup authentication could be setup with Google Authenticator.