hi @vgaetera ,
trying to follow your documenthttps://openwrt.org/docs/guide-user/security/secure.access
i followed this step Create a non-privileged user in OpenWrt
root@OpenWrt:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
asdffdsa6131:x:1000:1000:/home/asdffdsa6131:/bin/ash
i rebooted the routerasdffdsa6131, i get
16:07:57.537 Current date: 2021-01-07
16:07:57.537 Started a new SSH session.
16:07:57.553 Connecting to SSH server 192.168.62.1:34431.
16:07:57.568 Connection established.
16:07:57.568 Server version: SSH-2.0-dropbear
16:07:57.568 First key exchange started. Cryptographic provider: Windows CNG (x86) with additions
16:07:57.901 Received host key from the server. Algorithm: RSA, size: 2048 bits, SHA-256 fingerprint: DB+b3wWI0SvsBdVWoE9in7MeHDHvE4Lgzft7RSK4sgQ.
16:07:57.916 First key exchange completed using diffie-hellman-group14-sha256 (group 14, 2048-bit). Session encryption: aes256-ctr, integrity: hmac-sha2-256, compression: none.
16:07:57.916 Attempting publickey authentication. Testing client key 'Profile 1' for acceptance.
16:07:57.938 Authentication failed. The key has been rejected. Remaining authentication methods: 'publickey'.
16:07:57.938 Authentication aborted. Reason: No authentication methods available.
16:07:57.938 The SSH session has been terminated.
so root can login but not asdffsa6131
trendy
January 7, 2021, 9:19pm
2
Have you copied the public key of the user to the authorized keys file on the router?
1 Like
# OpenWrt
uci set dropbear.@dropbear[0].PasswordAuth="1"
uci commit dropbear
/etc/init.d/dropbear restart
# PC
ssh -p 34431 asdffdsa6131@192.168.62.1 \
"mkdir -p ~/.ssh; tee -a ~/.ssh/authorized_keys" < ~/.ssh/id_rsa.pub
If the issue persists, fix ownership and permissions:
# OpenWrt
chown -R $(id -u asdffdsa6131):$(id -g asdffdsa6131) ~asdffdsa6131
chmod -R go= ~asdffdsa6131
hi again,
my pc is windows, using bitvise gui client.
could i do this?
create a new ssh key
log in using ssh as root.
then using the ssh command prompt mkdir -p /home/asdffdsa6131/.ssh
using sftp client, manually copy that ssh key into /home/asdffdsa6131/.ssh and name it authorized_keys
1 Like
Save the public key to ~asdffdsa6131/.ssh/authorized_keys and fix permissions/ownership as mentioned above.
but ~/ is the home dir of the root user?
root@OpenWrt:~# ls ~/.ssh
ls: /root/.ssh: No such file or directory
not what what you want, to run that command
root@OpenWrt:~# echo ~asdffdsa6131
~asdffdsa6131
That's weird, check this:
ubus call system board; echo ~root; grep -e asdffdsa6131 /etc/passwd
root@OpenWrt:~# ubus call system board; echo ~root; grep -e asdffdsa6131 /etc/passwd
{
"kernel": "4.14.195",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,rango",
"release": {
"distribution": "OpenWrt",
"version": "19.07.4",
"revision": "r11208-ce6496d796",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.4 r11208-ce6496d796"
}
}
/root
asdffdsa6131:x:1000:1000:/home/asdffdsa6131:/bin/ash
i think this is not correctasdffdsa6131:x:1000:1000:/home/asdffdsa6131:/bin/ashasdffdsa6131:x:1000:1000:asdffdsa6131:/home/asdffdsa6131:/bin/ash
1 Like
That's why I typically install the packages shadow-useradd, shadow-userdel, shadow-usermod, etc. to avoid this kind of typo.
i followed your https://openwrt.org/docs/guide-user/security/secure.access opkg install shadow-useradd
so what should i do now, install the other packages?shadow-userdel, shadow-usermod
That's not actually my guide, I just made some edits there.
Anyway, in general it is recommended to use shadow utils to manage the passwd/group files.
ok, i just installed the other two shadow-userdel, shadow-usermod
is this correct?asdffdsa6131:x:1000:1000:asdffdsa6131:/home/asdffdsa6131:/bin/ash
1 Like
root@OpenWrt:~# chown -R $(id -u asdffsa6131):$(id -g asdffsa6131) ~asdffsa6131
id: unknown user asdffsa6131
id: unknown user asdffsa6131
chown: unknown group
userdel asdffsa6131
userdel asdffdsa6131
sed -i -e "/^asdffsa6131/d" /etc/passwd /etc/group /etc/shadow
sed -i -e "/^asdffdsa6131/d" /etc/passwd /etc/group /etc/shadow
opkg update
opkg install shadow-useradd shadow-userdel shadow-usermod \
shadow-groupadd shadow-groupdel shadow-groupmod sudo
groupadd -r -g 10 wheel
groupadd asdffdsa6131
useradd -m -g asdffdsa6131 -G wheel -s /bin/ash asdffdsa6131
touch /etc/environment
cat << EOF > /etc/sudoers.d/00-custom
%wheel ALL=(ALL) ALL
EOF
is this the correct output for that tee
root@OpenWrt:~# tee /etc/sudoers.d/00-custom << EOF
> %wheel ALL=(ALL) ALL
> EOF
%wheel ALL=(ALL) ALL
root@OpenWrt:~# cat /etc/sudoers.d/00-custom
%wheel ALL=(ALL) ALL
now this works without errorchown -R $(id -u asdffdsa6131):$(id -g asdffdsa6131) ~asdffdsa6131
1 Like
It appears there was a letter missing in the user name.
yeah, i noticed that, oh boy...
so i can just paste that entire text into the ssh command prompt?
1 Like
