I would like to use SSH key restrictions, such as no-port-forwarding or command=, which are supported by dropbear [1]. The use case is per-ssh-key restrictions, as opposed to dropbear-wide restrictions using the corresponding UCI options, in this exemplary case LocalPortForward and ForceCommand (which do not seem to be documented in the OpenWRT wiki [2] yet, but do in fact work).
When adding the restrictions to the file /etc/dropbear/authorized_keys, however, either dropbear or some other component in OpenWRT seems to filter these keys out. Example format of a restricted key: ssh-ed25519 no-port-forwarding <pubkey>. The logs do not show any obvious complaints from any component and I cannot find any reference to a filter in the dropbear service file [3] nor the OpenWRT-specific dropbear patches [4].
I am aware that there is a dedicated OpenSSH server package, but I would like to keep it to a minimal dropbear installation if at all possible.
Is there a way to add restrictions to SSH public keys using OpenWrt’s bundled dropbear, as documented in the dropbear man-page [1]?
Hardware & Software
- Netgear Nighthawk X4S R7800
- OpenWrt 24.10.2 r28739-d9340319c6 / LuCI openwrt-24.10 branch 26.003.60801~8770139
- dropbear 2024.86-r1
Dropbear configuration:
$ uci show dropbear
dropbear.main=dropbear
dropbear.main.PasswordAuth='on'
dropbear.main.Port='56421'
References
- [1] https://linux.die.net/man/8/dropbear, Files section
- [2] https://openwrt.org/docs/guide-user/base-system/dropbear
- [3] https://github.com/openwrt/openwrt/blob/main/package/network/services/dropbear/files/dropbear.init
- [4] https://github.com/openwrt/openwrt/blob/openwrt-24.10/package/network/services/dropbear/files/dropbear.init