1 (edited by forum2006 2007-07-21 11:24:37)

Topic: [Howto] Dropbear with public key authentication

Dropbear with public key authentication

1. Create a public key pair on your Linux box

ssh-keygen -t dsa

2. Transmit the public key to your OpenWrt router with scp

scp ~/.ssh/id_dsa.pub root@192.168.1.1:/tmp

3. Create the authorized_keys file

cd /etc/dropbear
cat /tmp/id_*.pub >> authorized_keys
chmod 0600 authorized_keys

4. Connect to the OpenWrt router with the public key

ubuntu@ubuntu-laptop:~$ ssh root@192.168.1.1

5. Disable password logins (using UCI)

uci set dropbear.cfg1.PasswordAuth=off
uci commit dropbear && reboot

To change dropbear's default port do:

uci set dropbear.cfg1.Port=<port_num>
uci commit dropbear && reboot
1x ASUS WL-700g Encore (Kamikaze 7.09, BCM947xx//953xx [2.4])
1x ASUS WL-500g Premium with Wistron CM9 WiFi card (Kamikaze 7.09, BCM947xx//953xx [2.4])
1x Linksys WRT54GL v1.1 with 512MB MMC card mod, optimized MMC driver (Kamikaze trunk r9548, BCM947xx//953xx [2.4])
NO support via PM.

Re: [Howto] Dropbear with public key authentication

I would like to expand a little on Point 1, the creation of DSA keys.

I normally have logcheck process my logs, and it does so hourly via cron as the logcheck user. 

The logcheck user is a virtual user, it exists solely to own some files, and to be a user to process logs.  In the /etc/passwd file, it shows that the login shell that logcheck gets is /bin/false.  The postgres user is one which can get a shell, but can never login (no passwords are accepted).  To do work as the postgres user, the root user needs to 'su' to the postgres user.  This same process doesn't work with the logcheck user, as the login shell is /bin/false.

While there are other ways to accomplish key generation, what I did was run the 'chsh' program to give logcheck a real shell.  The root user could then 'su' to the logcheck user.  The home directory for logcheck is defined to be /var/lib/logcheck, which is fine for what needs to be done.  As noted in the original posting, you run the ssh-keygen program for DSA keys (-t dsa).  Don't use a passphrase (just hit return, twice I believe).  All dsa keys are the same size, so you don't get asked anything about that.  As mentioned above, copy this newly created dsa pub key to the OpenWRT device, and then append that file to the authorized_keys file for dropbear.  Stop being the logcheck user by exiting the shell logcheck is running (exit should work, a single Control-D is end-of-file, which is what I normally do).  Finally, run 'chsh' again (as the root user now), to change the login shell for logcheck back to /bin/false.

This should allow cron processes run by the logcheck user to login to OpenWRT using public key authentication using SSH2.