So, I’ve been spending a fair amount of time mucking about on my DD-WRT based router and I have a few topics to cover. They’ll all sort of build on each other and I’ll ping-back when appropriate. I initially attempted to do them all in one colossal post and then realized that it just wouldn’t work. So first things first, SSH.
When I set up a personal Internet facing SSH daemon, I only allow logins via public/private key files. This greatly improves security by eliminating the potential for brute force password cracking. If you aren’t familiar with public key authentication, the quick of it goes something like this; you have a key pair that consists of a public and a private key. The public key lives on the server you want to log into, and the private key lives on your computer (the client). You can share the public key with anyone, and you should physically protect the private key with your life. You can choose to encrypt the private key with a password (you will need to enter the password each time you attempt to authenticate with the key) or leave the password blank (which allows you to log in without a password). Note: It’s strongly suggested that you password protect your private key.
So what’s the point of it? Your public key can only be used with its partner private key. As long as your private key is safe (only you have access to it), nobody can crack your account and log in (even if they have the public key, you can’t generate a private key based on the data in the public key). This is why I suggest encrypting the private key with a password, if you have it on a thumb drive and lose the drive, the dweeb who picks it up and wants to see what you have access too will still need to get past the password on the private key. This gives you time to create a new keypair and update the machines you connect to.
I hope I made that clear, it makes more sense once you start using it. If you’re confused at all after going through all of this, please let me know in the comments of this post, I’ll clear up what I can.
Creating a keypair on your Linux box
If you haven’t previously used SSH to connect to a host, you won’t have a
~/.ssh/ directory on your machine. If you aren’t sure whether or not you’ve used SSH before, open a terminal and enter
ls -lad ~/.ssh. If the folder doesn’t exist, you’ll want to create it and set the proper permissions now. The command below will create the directory with a mode of 700, only you as the owner will be able to list the contents of
mkdir ~/.ssh -m=u+rwx,g-rwx,o-rwx
This next command will create a keypair in
~/.ssh/ as long as you have the OpenSSH Client package installed (chances are, you do). Basically we’re creating a (standard) 2048-bit RSA keypair with a custom comment (
-C [comment]. If you decide not to customize the comment, ssh-keygen will insert your
[username]@[host] as the comment). If you don’t enter a password for your key when prompted, you won’t need to enter one when attempting logins with this keypair. As convenient as this sounds, I would (again) suggest using a strong password to keep this keypair safe.
ssh-keygen -C [comment] -f ~/.ssh/id_rsa
Now that we have a keypair (
~/.ssh/id_rsa.pub), we need to log into the DD-WRT control panel, enable SSH and paste in our authorized key.
~/.ssh/id_rsa.pub with your editor of choice, select all of the text and copy it.
Next, open your browser and enter the address of the router, Click on the Administration tab, and then on Services. Scroll down to the Secure Shell section and set it up as follows:
- SSHd: Enable
- Password Login: Disable
- Port: 22
- Authorized Keys: Paste in the contents of your
id_rsa.pubfile. The actual key (the ugly part of the file) must NOT wrap, it needs to be on one line.
Note: I ALWAYS change the port from 22 to some high number that’s easy for me to remember. It cuts down on attempted break-ins, do whatever works for you.
Now that SSHd is configured, click Save Settings and then Reboot Router. At this point, you can only use SSH to log into the router from your LAN (in other words, we haven’t opened SSH up to the world yet).
Once the DD-WRT control panel is visible again, open a terminal and enter the command below:
ssh email@example.com -i ~/.ssh/id_rsa
If all goes well, should see a login prompt like the one below. You’ll need to enter the password for your private key. After that you should be at a shell prompt. If yes, Congrats! You’re communicating with your router via SSH.
DD-WRT v23 SP2 std (c) 2006 NewMedia-NET GmbH
Release: 09/15/06 (SVN revision: 3932)
Enter passphrase for key ‘/home/[username]/.ssh/id_rsa’
Now that it’s all tested, we can open SSH up to the Internet. This is optional of course, if you don’t want SSH access to your router from remote locations, then skip it.
Log into the DD-WRT control panel and select the Administration tab and then the Management tab. In the Remote Access section configure as follows.
- Web GUI Management: Disable
- SSH Management: Enable
- SSH Remote Port: [same port you selected in the Secure Shell configuration]
Again, click Save Settings and Reboot Router. After the reboot, you’re SSHd is available to you from anywhere
Extra bit to make life easier
Finally, if you think that’s an annoying amount of text to enter whenever you want to SSH into your router, create an SSH Config file. Use whatever editor you like, enter the text below and save the file to
Now all you need to do is enter
ssh ddwrt to connect to your router.
Finally, I should mention that allowing remote “root” logins is a really bad idea. I’ve made an exception in this case as DD-WRT is unique in that it only has one user account. There are ways of renaming the account, if I explore them, I’ll (of course) tell you about it.