Ssh/dbclient - DROPBEAR_PASSWORD doesn't work

ErwinL · November 19, 2017, 4:30pm

I need my wlan-router to auto-login at startup to another host via SSH.
( https://www.studentenwerk-leipzig.de/sites/default/files/media/files/use_of_wireless_routers_and_mobile_devices_in_studnet.pdf )

Usually the Dropbear SSH client (dbclient) allows you to specify the password through an environment variable.
https://www.dd-wrt.com/wiki/index.php/SSH#Automatic_Login_.28for_shell_scripts.29

My custom router startup script works fine with dd-wrt versions until april of 2015.

while true
do
DROPBEAR_PASSWORD='passwod' ssh -y username@ip.of.remote.host
sleep 5
done

In future versions the script stops at password login.

Unfortunately there is no dd-wrt version from before april of 2015 for my new router (TL-WR710N(EU) V 1.2).

Thus I installed openwrt 15.05.1
and tried from routers command line:

DROPBEAR_PASSWORD='passwod' ssh -y username@ip.of.remote.host

to check, if auto login to remote host works. But I'm asked for password. That means, there is the same problem with variable handling as in recent versions of dd-wrt.

Then I installed LEDE 17.01.4 and there is the same problem.

Can anyone confirm, that automatic password login to remote host by DROPBEAR_PASSWORD variable doesn't work?

Regards,
ErwinL

ErwinL · November 20, 2017, 4:01pm

Am 20.11.2017 um 16:44 schrieb Matt Johnston:

OK, it looks like they're deliberately disabling it.
https://github.com/lede-project/source/blob/master/package/network/services/dropbear/patches/120-openwrt_options.patch#L77

I guess add that to the LEDE bug. I'd be surprised it if
made any real difference to binary size.

Cheers,
Matt

eduperez · November 20, 2017, 5:04pm

Can you login using key authentication?

ErwinL · November 20, 2017, 5:32pm

No, I can't because the remote host is not under my control. The remote host is the internet access control server of my internet provider. The internet provider demands authentication by username/password.

eduperez · November 20, 2017, 7:09pm

Perhaps you could try with other SSH client: "openssh-client" seems to be available in the LEDE repos; perhaps it can do user-based authentication.

ErwinL · November 20, 2017, 7:21pm

Perhaps there could be a solution for my problem, but I don't have enough knowledge to understand this
https://www.exratione.com/2014/08/bash-script-ssh-automation-without-a-password-prompt/

Is there a special reason why the DROPBEAR_PASSWORD option is disabled in LEDE?

Per · November 20, 2017, 7:52pm

Try adding this to the init script before the loop (untested):

echo '#!/bin/sh' > /tmp/printpw
echo 'echo password' > /tmp/printpw
chmod +x /tmp/printpw

and then log in like this:

SSH_ASKPASS=/tmp/printpw ssh -y username@ip.of.remote.host

Replace password with the actual password.

ErwinL · November 20, 2017, 8:13pm

If I try

SSH_ASKPASS='password' ssh -y username@ip.of.remote.host

from routers commandline, then remote host still asks for password.

Per · November 20, 2017, 8:39pm

Yes, because 'password' is not a script so it fails.

ErwinL · November 20, 2017, 9:04pm

root@LEDE:~# echo '#!/bin/sh'>/tmp/printpw
root@LEDE:~# echo 'echo mypwd'>>/tmp/printpw
root@LEDE:~# chmod +x /tmp/printpw
root@LEDE:~# SSH_ASKPASS=/tmp/printpw ssh -y root@192.168.1.21
ssh:
Host '192.168.1.21' key accepted unconditionally.
(ssh-rsa fingerprint md5 17:83:d5:f7:0e:b6:d2:40:5a:db:25:a5:53:2a:3e:6d)

root@192.168.1.21's password:

ends with password prompt too.

anon57995562 · November 20, 2017, 9:34pm

I'm surprised that a school would allow students to log in to one of their servers as "root"...

ErwinL · November 20, 2017, 9:37pm

I'm testing at home and the remote host is my NAS.
At students hostel my username is not root.

mk24 · November 20, 2017, 9:48pm

Perhaps this can be done by installing openssh-client (memory permitting) and using it instead of dropbear.

anon57995562 · November 20, 2017, 9:50pm

For security reasons, I can see why root would not allow auto logins.

You may need to set up an account that has similar permissions as your student username in order to test.

ErwinL · November 20, 2017, 9:53pm

My NAS allows password login for root.
The router with old dd-wrt version, with DROPBEAR_PASSWORD option, does auto login for root in my testing environment at home. And works at student hostel too.

anon57995562 · November 20, 2017, 9:56pm

But not anymore, and probably for good reason.

ErwinL · November 20, 2017, 10:09pm

My TL-WR710N V1.2 has 8MB Flash and 32MB Ram. Is this sufficient to install openssh-client?
How do I install openssh-client?

ErwinL · November 20, 2017, 10:13pm

The problem is not, that the user is "root", but the DROPBEAR_PASSWORD option is disabled.

Per · November 20, 2017, 10:23pm

Seems SSH_ASKPASS is for getting a passphrase and not a password, so it won't work that way

ErwinL · November 20, 2017, 10:33pm

I think this was the commit in which brainslayer disabled the DROPBEAR_PASSWORD option in dd-wrt on 19 Apr 2015

https://github.com/mirror/dd-wrt/commit/067ea1a1efe5621631dde6fdaf2f8ee95b02048e#diff-851da486b641491d761c0295dbe45035