Since version 8.2 OpenSSH is supporting U2F MFA. Here is short guide on how to enable two (or three) factor SSH authentication using physical key (like Yubikey) for accessing OpenWrt console.
Prerequisities:
- U2F key (second key strongly advised to not get locked out in case of key loss)
- sufficient amount of memory in OpenWrt appliance
On Linux:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
ssh-copy-id -i ~/.ssh/id_ecdsa_sk root@router_IP
On router:
uci set dropbear.@dropbear[0].Port=2222
uci commit dropbear
/etc/init.d/dropbear restart
After that you should be able to reach out to router by: ssh -p 2222 root@router_IP
opkg update
opkg install openssh-server
Change lines on the router /etc/ssh/sshd_config file to:
ListenAddress LAN_IP_of_the_router # optional
PasswordAuthentication no
and run following commands:
/etc/init.d/sshd enable
/etc/init.d/sshd start
if connection with ssh root@router_IP
works fine with Fido2 key you are ready to disable dropbear:
/etc/init.d/dropbear disable
/etc/init.d/dropbear stop
Linux part of setup should be repeated for second key using different file names. Alternatively backup authentication could be setup with Google Authenticator.