DD-WRT: Password Free Login to LAN Hosts from DD-WRT Shell

The Dropbear SSH client included on the DD-WRT firmware can make it trivial for you to access computers on your network without exposing them to the Internet. For example, let’s say I have remote SSH management enabled on my router, and I have a computer named ubuntu running an SSHd on my LAN. I want to log into ubuntu from anywhere but don’t want to forward ports from the WAN side of the router to that machine. All I need to do is SSH into my router, and from the DD-WRT shell prompt enter ssh [username]@ubuntu and provide my password. All very easy to do and keeps my machines away from the world on the ugly side of the router/firewall.

Now, ubuntu is only accessible from the LAN, so to make my life a little easier, I want to allow password-less logins, this is how it’s done.

This builds off of DD-WRT: SSH Remote Management with Public Key Authentication and DD-WRT: Samba Startup Script / Reconfigure Dropbear SSHd. Just to keep things fresh, the router only allows logins via public-key authentication, the machine ubuntu hosts the script that the router launches at startup on a Samba share (smb://ubuntu/ddwrt). The local path to that share on ubuntu is ~/ddwrt. The router will map that share to /tmp/smbshare during startup and will execute the dd-wrt-startup.sh script located there.

Configure public-key authenication on the Linux machine:

Since I used this machine to create a keypair earlier, I’m just going to recycle. Up until now, I’ve only configured this machine to make connections to other hosts using public-key authentication. Now I need to accept public-key auth connections from other hosts.

To do this, I need to create an authorized_keys file in ~/.ssh/. The command below will write my ~/.ssh/id_rsa.pub file to the bottom of a pre-existing authorized_keys file or create a new one if it doesn’t exist. This file allows me to authenticate with my private key on the computer ubuntu.

cat ~/.ssh/id_rsa.pub >>~/.ssh/authorized_keys

Copy private key to router and convert it:

Next, I need to get my private key someplace accessible to the router, I’m just copying it to the Samba share that auto-mounts when the router starts up.

cp -v ~/.ssh/id_rsa ~/ddwrt/

Now, I remove the password from the copy of the private key, this is mandatory. DD-WRT’s Dropbear client has its own format for private keys and cannot convert encrypted (password protected) OpenSSH keys. Not to mention that I actually WANT password-less logins :). Just follow the prompts provided after executing the next command.

ssh-keygen -p -f ~/ddwrt/id_rsa

Note: This key will NEVER leave my personal network so I’m not worried about it getting into the hands of anyone I don’t trust.

Next I SSH into the router.

ssh root@ -i ~/.ssh/id_rsa

Using dropbearkonvert I convert the OpenSSH key to a Dropbear key.

dropbearkonvert openssh dropbear /tmp/smbshare/id_rsa /tmp/smbshare/id_dropbear

Install private key to home dir at router startup:

The last step is to have the key installed to the /tmp/root/.ssh/ directory on the router whenever the router starts up. I could opt to leave the key on the Samba mount, but I decided to put it on the router because I actually have more than one machine I want to get to. If for some reason the machine running the Samba server is off-line, I wouldn’t have access to the private key.

To automagically install the key, I need to add the lines below to the router’s startup script, this can be done from the router, vi /tmp/smbshare/dd-wrt-startup.sh or from my desktop using my editor of choice nano ~/ddwrt/dd-wrt-startup.sh.

## install dropbear private key for passwordless login to other machines
cp /tmp/smbshare/id_dropbear /tmp/root/.ssh/
chmod 600 /tmp/root/.ssh/id_dropbear

You can reboot the router to test the script or you can manually enter cp /tmp/smbshare/id_dropbear /tmp/root/.ssh/ on the router and test it by entering ssh [username]@[hostname] -i ~/.ssh/id_dropbear. This should bring up a prompt similar to the one below:

Host ‘ubuntu’ is not in the trusted hosts file.
(fingerprint md5 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx)
Do you want to continue connecting? (y/n)

Answering “y” will add the host to ~/.ssh/known_hosts and I won’t be prompted about it again until I reboot the router. If I want to permanently add all of my machines to known_hosts, I can connect to each one of them and answer “y” at the Do you want to continue connecting? Prompt. After all of my hosts are known, I copy the file from the router to my Samba share (cp ~/.ssh/known_hosts /tmp/smbshare). Lastly, I go back to my startup script and add the line below.

cp /tmp/smbshare/known_hosts /tmp/root/.ssh/

that’s all folks, the router will install the files I need whenever it reboots and I have access to all of my machines through ONE tightly locked door.

Tags: , , , ,

One Response to “DD-WRT: Password Free Login to LAN Hosts from DD-WRT Shell”

  1. randy says:

    Pretty neat. I’ve been running dd-wrt on my buffalo router for a couple of years but did not realize that I could connect to my PCs from outside via the router’s sshd instead of port-forwarding (like I done before). I don’t care for the portforwarding setup because the pc is exposed to the outside. Your way is solves that concern.
    Have you ever set up an ssh tunnel through your router to allow you to get around any firewall restrictions from your work computer? If yes, please write about it sometime 🙂 Thanks for your nice articles on dd-wrt.

Leave a Reply