@gimbleguy No problem at all. I'm assuming you want it accessible only over LAN for security concerns, however, provided it's configured with a 2048bit key that's also protected with a secure password, there's zero chance of an unauthorized person gaining access to SSH.
I would recommend switching to OpenSSH over DropBear as OpenSSH provides more functionality and far greater security controls. If you do choose to switch, here is the config I recommend using:
/etc/ssh/sshd_config
#
##::[[--- LEDE OpenSSH Config ---]]::##
####################################################
##----- Global Options -----##
####################################################
# Connection #
#---------------------------------------------------
AddressFamily = inet
Port = 64947
ListenAddress = 192.168.2.1
# Encryption #
#---------------------------------------------------
Protocol = 2
AuthorizedKeysFile = /home/%u/.ssh/authorized_keys
HostKey = /etc/ssh/ids/ssh_host_rsa_key
HostKey = /etc/ssh/ids/ssh_host_ed25519_key
RekeyLimit = 100M 30m
# Authentication #
#---------------------------------------------------
AllowUsers = user1
ChallengeResponseAuthentication = no
KbdInteractiveAuthentication = no
PasswordAuthentication = no
PermitEmptyPasswords = no
PubkeyAuthentication = yes
StrictModes = yes
LoginGraceTime = 30
MaxAuthTries = 3
MaxSessions = 10
MaxStartups = 3:30:10
PermitRootLogin = no
# Reliability #
#---------------------------------------------------
ClientAliveCountMax = 3
ClientAliveInterval = 600
TCPKeepAlive = yes
UseDNS = yes
# Security #
#---------------------------------------------------
AllowAgentForwarding = yes
AllowTcpForwarding = yes
GatewayPorts = clientspecified
PermitTunnel = yes
Subsystem sftp = /usr/lib/sftp-server
# Logging #
#---------------------------------------------------
SyslogFacility = AUTH
LogLevel = VERBOSE
PidFile = /tmp/run/sshd.pid
# Environment #
#---------------------------------------------------
#PermitUserRC = yes
# Ciphers and ReKeying #
#---------------------------------------------------
FingerprintHash = sha256
Ciphers = aes256-gcm@openssh.com,rijndael-cbc@lysator.liu.se,aes256-cbc,aes192-cbc,aes128-cbc
HostKeyAlgorithms = ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
HostbasedAcceptedKeyTypes = ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
KexAlgorithms = curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
MACs = hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
PubkeyAcceptedKeyTypes = ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
This requires adding a user (user1 as an example), as root should not be allowed access to login via ssh, creating a group named sudo, adding the new user to group sudo, then installing the sudo pkg
%UserProfile%\.ssh\config (OpenSSH for Windows)
#
##::[[--- Windows OpenSSH Config ---]]::##
####################################################
##----- Custom -----##
####################################################
UserKnownHostsFile = ~\.ssh\known_hosts
####################################################
##----- Hosts -----##
####################################################
# You'll need to create the directory:
# ~\.ssh\ids\<remote hostname/IP>\<remote user>\SSH_User_Key_2r
# "_2r" identifies the key as 2048bit RSA, with "_2e" being ED25519
# PowerShell recognizes ~ as %UserProfile%
# PowerShell should be set to replace Command Prompt in Settings
# Certain cli programs will not launch when issued in PowerShell;
# simply preface the command with: cmd /c <cli program>
# Using hosts, one can simply issue the host variable to connect: ssh ACS
# WRT1900ACS #
#---------------------------------------------------
# Local:
Host ACS
Hostname LEDE.WRT
Port 64947
User user1
IdentityFile %d\.ssh\ids\local\%h\%r\WRT1900ACS_2r
# Remote:
Host ACSR
Hostname your.ddns.com
Port 64947
User user1
IdentityFile %d\.ssh\ids\remote\%h\%r\WRT1900ACS_2r
####################################################
##----- Options -----##
####################################################
# Connection #
#---------------------------------------------------
AddressFamily = inet
# Encryption #
#---------------------------------------------------
RekeyLimit = 500M 30m
# Authentication #
#---------------------------------------------------
ChallengeResponseAuthentication = no
KbdInteractiveAuthentication = no
PasswordAuthentication = no
PreferredAuthentications = publickey
PubkeyAuthentication = yes
AddKeysToAgent = ask
# Reliability #
#---------------------------------------------------
TCPKeepAlive = yes
# Security #
#---------------------------------------------------
ForwardAgent = yes
ForwardX11 = yes
GatewayPorts = no
HashKnownHosts = yes
StrictHostKeyChecking = ask
# Logging #
#---------------------------------------------------
SyslogFacility = AUTH
LogLevel = VERBOSE
# Environment #
#---------------------------------------------------
# Disabled:
## PermitUserRC = yes
# Ciphers and ReKeying #
#---------------------------------------------------
FingerprintHash = sha256
Ciphers = rijndael-cbc@lysator.liu.se,aes256-cbc,aes192-cbc,aes128-cbc
HostKeyAlgorithms = ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
HostbasedKeyTypes = ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
KexAlgorithms = curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
MACs = hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
PubkeyAcceptedKeyTypes = ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
/etc/sudo
#
##::[[--- LEDE Sudoers Config ---]]::##
####################################################
##----- Active Options -----##
####################################################
# This file MUST be edited by root via `visudo`
# Failure to use `visudo` results in syntax / file
# permission errors preventing sudo from running
# Man pages #
# sudoers: www.sudo.ws/man/1.8.15/sudoers.man.html
# sudo.conf: www.sudo.ws/man/1.8.15/sudo.conf.man.html
# Defaults Specification #
#---------------------------------------------------
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
Defaults targetpw
# User Privilege Specification #
#---------------------------------------------------
# Users:
root ALL=(ALL:ALL) ALL
# Groups:
%sudo ALL=(ALL:ALL) ALL
Once added, run the following script:
#!/bin/sh
# Sudo #
#---------------------------------------------------
# Sudoers
# Permissions #
chmod 440 /etc/sudo
# OpenSSH #
#---------------------------------------------------
# Keys #
# Generate 2048 RSA #
ssh-keygen -b 2048 -t rsa -E sha256 -C "WRT1900ACS OpenSSH Server RSA" -f /etc/ssh/ids/ssh_host_rsa_key
# Generate 2048 ED25519 #
ssh-keygen -t ed25519 -E sha256 -C "WRT1900ACS OpenSSH Server ED25519" -f /etc/ssh/ids/ssh_host_ed25519_key
# Permissions #
chmod 600 /etc/ssh/ids/*_key
# .ssh #
# root:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
ln -s /root /home/root
# user1:
chown -R user1:user1 /home/user1
chmod 700 /home/user1/.ssh
chmod 600 /home/user1/.ssh/authorized_keys
# Restart OpenSSH #
/etc/init.d/sshd restart
# Moduli #
# Generate:
ssh-keygen -G moduli-2048.candidates -b 2048
# Select Candidates:
ssh-keygen -T moduli-2048 -f moduli-2048.candidates
# Backup:
cp /etc/ssh/moduli /etc/ssh/moduli.orig && rm -f /etc/ssh/moduli
# Replace:
cp /etc/ssh/moduli-2048 /etc/ssh/moduli && rm -f /etc/ssh/moduli-2048
# Restart OpenSSH #
/etc/init.d/sshd restart
(Last edited by JW0914 on 24 Aug 2017, 01:12)