The Dropbear SSH client included on the DD-WRT firmware can make it trivial for you to access computers on your network without exposing them to the Internet. For example, let’s say I have remote SSH management enabled on my router, and I have a computer named ubuntu running an SSHd on my LAN. I want to log into ubuntu from anywhere but don’t want to forward ports from the WAN side of the router to that machine. All I need to do is SSH into my router, and from the DD-WRT shell prompt enter
ssh [username]@ubuntu and provide my password. All very easy to do and keeps my machines away from the world on the ugly side of the router/firewall.
Now, ubuntu is only accessible from the LAN, so to make my life a little easier, I want to allow password-less logins, this is how it’s done.
This builds off of DD-WRT: SSH Remote Management with Public Key Authentication and DD-WRT: Samba Startup Script / Reconfigure Dropbear SSHd. Just to keep things fresh, the router only allows logins via public-key authentication, the machine ubuntu hosts the script that the router launches at startup on a Samba share (
smb://ubuntu/ddwrt). The local path to that share on ubuntu is
~/ddwrt. The router will map that share to
/tmp/smbshare during startup and will execute the
dd-wrt-startup.sh script located there.
Configure public-key authenication on the Linux machine:
Since I used this machine to create a keypair earlier, I’m just going to recycle. Up until now, I’ve only configured this machine to make connections to other hosts using public-key authentication. Now I need to accept public-key auth connections from other hosts.
To do this, I need to create an
authorized_keys file in
~/.ssh/. The command below will write my
~/.ssh/id_rsa.pub file to the bottom of a pre-existing
authorized_keys file or create a new one if it doesn’t exist. This file allows me to authenticate with my private key on the computer ubuntu.
cat ~/.ssh/id_rsa.pub >>~/.ssh/authorized_keys
Copy private key to router and convert it:
Next, I need to get my private key someplace accessible to the router, I’m just copying it to the Samba share that auto-mounts when the router starts up.
cp -v ~/.ssh/id_rsa ~/ddwrt/
Now, I remove the password from the copy of the private key, this is mandatory. DD-WRT’s Dropbear client has its own format for private keys and cannot convert encrypted (password protected) OpenSSH keys. Not to mention that I actually WANT password-less logins :). Just follow the prompts provided after executing the next command.
ssh-keygen -p -f ~/ddwrt/id_rsa
Note: This key will NEVER leave my personal network so I’m not worried about it getting into the hands of anyone I don’t trust.
Next I SSH into the router.
ssh firstname.lastname@example.org -i ~/.ssh/id_rsa
dropbearkonvert I convert the OpenSSH key to a Dropbear key.
dropbearkonvert openssh dropbear /tmp/smbshare/id_rsa /tmp/smbshare/id_dropbear
Install private key to home dir at router startup:
The last step is to have the key installed to the
/tmp/root/.ssh/ directory on the router whenever the router starts up. I could opt to leave the key on the Samba mount, but I decided to put it on the router because I actually have more than one machine I want to get to. If for some reason the machine running the Samba server is off-line, I wouldn’t have access to the private key.
To automagically install the key, I need to add the lines below to the router’s startup script, this can be done from the router,
vi /tmp/smbshare/dd-wrt-startup.sh or from my desktop using my editor of choice
## install dropbear private key for passwordless login to other machines
cp /tmp/smbshare/id_dropbear /tmp/root/.ssh/
chmod 600 /tmp/root/.ssh/id_dropbear
You can reboot the router to test the script or you can manually enter
cp /tmp/smbshare/id_dropbear /tmp/root/.ssh/ on the router and test it by entering
ssh [username]@[hostname] -i ~/.ssh/id_dropbear. This should bring up a prompt similar to the one below:
Host ‘ubuntu’ is not in the trusted hosts file.
(fingerprint md5 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx)
Do you want to continue connecting? (y/n)
Answering “y” will add the host to
~/.ssh/known_hosts and I won’t be prompted about it again until I reboot the router. If I want to permanently add all of my machines to
known_hosts, I can connect to each one of them and answer “
y” at the
Do you want to continue connecting? Prompt. After all of my hosts are known, I copy the file from the router to my Samba share (
cp ~/.ssh/known_hosts /tmp/smbshare). Lastly, I go back to my startup script and add the line below.
cp /tmp/smbshare/known_hosts /tmp/root/.ssh/
that’s all folks, the router will install the files I need whenever it reboots and I have access to all of my machines through ONE tightly locked door.