Now, ubuntu is only accessible from the LAN, so to make my life a little easier, I want to allow password-less logins, this is how it’s done.

This builds off of DD-WRT: SSH Remote Management with Public Key Authentication and DD-WRT: Samba Startup Script / Reconfigure Dropbear SSHd. Just to keep things fresh, the router only allows logins via public-key authentication, the machine ubuntu hosts the script that the router launches at startup on a Samba share (smb://ubuntu/ddwrt). The local path to that share on ubuntu is ~/ddwrt. The router will map that share to /tmp/smbshare during startup and will execute the dd-wrt-startup.sh script located there.

Configure public-key authenication on the Linux machine:

Since I used this machine to create a keypair earlier, I’m just going to recycle. Up until now, I’ve only configured this machine to make connections to other hosts using public-key authentication. Now I need to accept public-key auth connections from other hosts.

To do this, I need to create an authorized_keys file in ~/.ssh/. The command below will write my ~/.ssh/id_rsa.pub file to the bottom of a pre-existing authorized_keys file or create a new one if it doesn’t exist. This file allows me to authenticate with my private key on the computer ubuntu.

cat ~/.ssh/id_rsa.pub >>~/.ssh/authorized_keys

Copy private key to router and convert it:

Next, I need to get my private key someplace accessible to the router, I’m just copying it to the Samba share that auto-mounts when the router starts up.

cp -v ~/.ssh/id_rsa ~/ddwrt/

Now, I remove the password from the copy of the private key, this is mandatory. DD-WRT’s Dropbear client has its own format for private keys and cannot convert encrypted (password protected) OpenSSH keys. Not to mention that I actually WANT password-less logins . Just follow the prompts provided after executing the next command.

ssh-keygen -p -f ~/ddwrt/id_rsa

Note: This key will NEVER leave my personal network so I’m not worried about it getting into the hands of anyone I don’t trust.

Next I SSH into the router.

ssh root@192.168.1.1 -i ~/.ssh/id_rsa

Using dropbearkonvert I convert the OpenSSH key to a Dropbear key.

dropbearkonvert openssh dropbear /tmp/smbshare/id_rsa /tmp/smbshare/id_dropbear

Install private key to home dir at router startup:

The last step is to have the key installed to the /tmp/root/.ssh/ directory on the router whenever the router starts up. I could opt to leave the key on the Samba mount, but I decided to put it on the router because I actually have more than one machine I want to get to. If for some reason the machine running the Samba server is off-line, I wouldn’t have access to the private key.

To automagically install the key, I need to add the lines below to the router’s startup script, this can be done from the router, vi /tmp/smbshare/dd-wrt-startup.sh or from my desktop using my editor of choice nano ~/ddwrt/dd-wrt-startup.sh.

## install dropbear private key for passwordless login to other machines
cp /tmp/smbshare/id_dropbear /tmp/root/.ssh/
chmod 600 /tmp/root/.ssh/id_dropbear

You can reboot the router to test the script or you can manually enter cp /tmp/smbshare/id_dropbear /tmp/root/.ssh/ on the router and test it by entering ssh [username]@[hostname] -i ~/.ssh/id_dropbear. This should bring up a prompt similar to the one below:

Host ‘ubuntu’ is not in the trusted hosts file.
(fingerprint md5 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx)
Do you want to continue connecting? (y/n)

Answering “y” will add the host to ~/.ssh/known_hosts and I won’t be prompted about it again until I reboot the router. If I want to permanently add all of my machines to known_hosts, I can connect to each one of them and answer “y” at the Do you want to continue connecting? Prompt. After all of my hosts are known, I copy the file from the router to my Samba share (cp ~/.ssh/known_hosts /tmp/smbshare). Lastly, I go back to my startup script and add the line below.

cp /tmp/smbshare/known_hosts /tmp/root/.ssh/

that’s all folks, the router will install the files I need whenever it reboots and I have access to all of my machines through ONE tightly locked door.

The script I’m creating is only useful if you have your router configured for remote SSH management (see DD-WRT: SSH Remote Management with Public Key Authentication for my how-to). The configuration process applies to setting up any startup script on a Samba share.

The script I want to execute on startup is going to change the configuration of the Dropbear SSHd. By default, when you connect to the router via SSH, you’re presented with a pre-login prompt advertising the firmware’s version. I prefer not sharing that info with anyone (not in such a blatant fashion at any rate), so I need to kill off the dropbear process and restart it without the banner flag. You might be wondering why I don’t just edit dropbear’s config file on the router… The simple answer is that there isn’t one.

I’m going to be using a Samba share I’ve created just for DD-WRT on the machine named ubuntu (also my desktop). The local path is ~/ddwrt and the network path is smb://ubuntu/ddwrt

Create the script:

Create a script on your Samba share named dd-wrt-startup.sh. One way to create the file is to enter the commands below in a terminal.

cd ~/ddwrt
touch dd-wrt-startup.sh

Open ~/ddwrt/dd-wrt-startup.sh with your editor of choice and add the text below (each command should be on its own line):

#!/bin/sh
## kill/restart dropbear; remove pre-logon message
killall dropbear
dropbear -r /tmp/root/.ssh/ssh_host_rsa_key -d /tmp/root/.ssh/ssh_host_dss_key -p 22 -s

Be sure that when you specify the port (-p 22), you use the same port that you have configured in the DD-WRT control panel.

The difference between the command to launch dropbear that I wrote, and the command the router defaults to, is that I’ve removed the banner file flag (-b [path to loginprompt]). If you want to see what the exact command line is on your router before you make the change, SSH in and enter a ps, someplace in the process list you’ll see the dropbear command line.

Configure Samba FS Automount:

Before going on, be sure that the Samba server has a static IP or (better yet) a static DHCP address. If you don’t use static DHCP, you may want to use the machine’s IP address instead of its name when configuring the share below. Check out the DD-WRT DNSMasq wiki page for more info.

Log into the DD-WRT Control Panel, Click Administration then select the Management tab. Scroll down to the Samba FS Automount section and configure as follows:

• SMB Filesystem: Enable
• Share: //ubuntu/ddwrt
• User Name: [valid smb user]
• Password: [smb user's password]
• Startscript: dd-wrt-startup.sh

Now all you need to do is click Save Settings and Reboot Router. The next time you SSH in, you’ll notice that no information about the router is given until you’ve provided your credentials and successfully authenticated. You will also notice that entering the mount command will show you that your Samba share is mounted to /tmp/smbshare.

When I set up a personal Internet facing SSH daemon, I only allow logins via public/private key files. This greatly improves security by eliminating the potential for brute force password cracking. If you aren’t familiar with public key authentication, the quick of it goes something like this; you have a key pair that consists of a public and a private key. The public key lives on the server you want to log into, and the private key lives on your computer (the client). You can share the public key with anyone, and you should physically protect the private key with your life. You can choose to encrypt the private key with a password (you will need to enter the password each time you attempt to authenticate with the key) or leave the password blank (which allows you to log in without a password). Note: It’s strongly suggested that you password protect your private key.

So what’s the point of it? Your public key can only be used with its partner private key. As long as your private key is safe (only you have access to it), nobody can crack your account and log in (even if they have the public key, you can’t generate a private key based on the data in the public key). This is why I suggest encrypting the private key with a password, if you have it on a thumb drive and lose the drive, the dweeb who picks it up and wants to see what you have access too will still need to get past the password on the private key. This gives you time to create a new keypair and update the machines you connect to.

I hope I made that clear, it makes more sense once you start using it. If you’re confused at all after going through all of this, please let me know in the comments of this post, I’ll clear up what I can.

Creating a keypair on your Linux box

If you haven’t previously used SSH to connect to a host, you won’t have a ~/.ssh/ directory on your machine. If you aren’t sure whether or not you’ve used SSH before, open a terminal and enter ls -lad ~/.ssh. If the folder doesn’t exist, you’ll want to create it and set the proper permissions now. The command below will create the directory with a mode of 700, only you as the owner will be able to list the contents of ~/.ssh

mkdir ~/.ssh -m=u+rwx,g-rwx,o-rwx

This next command will create a keypair in ~/.ssh/ as long as you have the OpenSSH Client package installed (chances are, you do). Basically we’re creating a (standard) 2048-bit RSA keypair with a custom comment (-C [comment]. If you decide not to customize the comment, ssh-keygen will insert your [username]@[host] as the comment). If you don’t enter a password for your key when prompted, you won’t need to enter one when attempting logins with this keypair. As convenient as this sounds, I would (again) suggest using a strong password to keep this keypair safe.

ssh-keygen -C [comment] -f ~/.ssh/id_rsa

Now that we have a keypair (~/.ssh/id_rsa and ~/.ssh/id_rsa.pub), we need to log into the DD-WRT control panel, enable SSH and paste in our authorized key.

Configure SSHd

Open ~/.ssh/id_rsa.pub with your editor of choice, select all of the text and copy it.

Next, open your browser and enter the address of the router, Click on the Administration tab, and then on Services. Scroll down to the Secure Shell section and set it up as follows:

• SSHd: Enable
• Password Login: Disable
• Port: 22
• Authorized Keys: Paste in the contents of your id_rsa.pub file. The actual key (the ugly part of the file) must NOT wrap, it needs to be on one line.

Note: I ALWAYS change the port from 22 to some high number that’s easy for me to remember. It cuts down on attempted break-ins, do whatever works for you.

Now that SSHd is configured, click Save Settings and then Reboot Router. At this point, you can only use SSH to log into the router from your LAN (in other words, we haven’t opened SSH up to the world yet).

Once the DD-WRT control panel is visible again, open a terminal and enter the command below:

ssh root@192.168.1.1 -i ~/.ssh/id_rsa

If all goes well, should see a login prompt like the one below. You’ll need to enter the password for your private key. After that you should be at a shell prompt. If yes, Congrats! You’re communicating with your router via SSH.

DD-WRT v23 SP2 std (c) 2006 NewMedia-NET GmbH
Release: 09/15/06 (SVN revision: 3932)
Enter passphrase for key ‘/home/[username]/.ssh/id_rsa’

Now that it’s all tested, we can open SSH up to the Internet. This is optional of course, if you don’t want SSH access to your router from remote locations, then skip it.

Log into the DD-WRT control panel and select the Administration tab and then the Management tab. In the Remote Access section configure as follows.

• Web GUI Management: Disable
• SSH Management: Enable
• SSH Remote Port: [same port you selected in the Secure Shell configuration]

Again, click Save Settings and Reboot Router. After the reboot, you’re SSHd is available to you from anywhere

Extra bit to make life easier

Finally, if you think that’s an annoying amount of text to enter whenever you want to SSH into your router, create an SSH Config file. Use whatever editor you like, enter the text below and save the file to ~/.ssh/config

host ddwrt
hostname 192.168.1.1
port 22
user root
identityfile ~/.ssh/id_rsa

Now all you need to do is enter ssh ddwrt to connect to your router.

Finally, I should mention that allowing remote “root” logins is a really bad idea. I’ve made an exception in this case as DD-WRT is unique in that it only has one user account. There are ways of renaming the account, if I explore them, I’ll (of course) tell you about it.

Firstly, I powered up the router and performed a hard reset (hold the reset button down for 30 seconds). This just ensures that the router is using its factory default configuration. I then unplugged my Ubuntu Edgy machine from the old router and connected it to the WRT54GL. I reconfigured my network interface from a static address to DHCP and renewed my IP. I did this from the command line so it looked like sudo ifdown eth0 ; sudo ifup eth0.

The firmware installation is done from the router’s web based administration panel, so using Firefox 2.0.0.1 I logged in and navigated to the firmware upload administration tab. I used the browse button to locate dd-wrt.v23_generic.bin (which I had downloaded and extracted when I ordered the router) and clicked upgrade. After a few moments, I received a page telling me that the upload was successful and I walked away from the whole project for 5 minutes (as the wiki instructed me to. I wanted a beer anyway).

Time passes…

Back at the keyboard now, I click the Continue button and I’m presented with a white page and some fields asking for my username and password. I close Firefox, perform another hard reset of the router, open Firefox again and enter the address of router. Just like magic, I’m presented with the DD-WRT configuration pages of the router. Success!

Since it’s late and I just want to get things working, I’m only doing the basics, setting up static DHCP and a new wireless SSID.

Step one, change the default password from “admin” to something much, much better. Next, I collect all of the MAC addresses from the machines on my network and make my way to the Administration/Services tab. There, I assigned the MAC addresses to host names/IP addresses and configured my LAN domain name (just something I like to play with). I started testing DCHP by connecting to each of the Linux machines, changing them from a static to a DHCP configuration and renewing the IP address (same commands as above). Flawless! With the Linux machines done I configure the rest of the machines on the network the same way.

Next, I create a new wireless SSID and configure my two wireless machines to associate with it. This is where I had a little trouble. Everything but the Ubuntu install on the laptop connected without issue. For whatever reason I just can’t get the bcm4306 based wireless card to associate with the router using manually configured NDISwrapper. I’ll revisit this when I’m not so tired

Update: I think I have this fixed, I’ll tell you how in another post

I know I said I was only doing the basics, but I had to try SSH. So back to the Services tab, I enable SSH management (and disable Telnet as I’ll never use it) and click the Reboot Router button. Next, I open a terminal session and enter ssh dd-wrt. I log in with my user/pass and I’m at an ASH shell prompt. The output from a uname -r reads like Linux DDWRT 2.4.34-pre2 #170 Fri Sep 15 20:10:21 CEST 2006 mips unknown. Pretty sexy

All in all it was a satisfying experience. I’m running Linux on my router and there’s a LOT of cool things I can do. I haven’t scratched the surface yet, I’ll be exploring options for a while and when I come across something sweet I’ll post about it here. If you’re at all interested in exploring DD-WRT, start by checking out the compatibility list and reading up on the features. The wiki is a great place to start. I had no trouble ordering a 100% compatible router for around $55.00 US (there was a rebate).

If you’re new to Linux and don’t want to have to manage your router from a command shell, no worries. The web configuration pages are extremely useful and cover the full configuration of the router in a point and click fashion. You just can’t go wrong

If you haven’t read between the lines, I have a really bad Netgear taste in my mouth. Don’t get me wrong, they’re great unless you want a quality product or some type of service when you eventually give up and call for support. I digress.

I chose this model because you can replace the stock firmware with third-party stuff. I’ve been reading for months about the DD-WRT project and wishing I had a compatible router. If you haven’t checked this project out, and you want to be able to do some really neat and powerful things with your router, what are you waiting for?

I mention this here because DD-WRT firmware is Linux based and open source. I’ll be posting about installing and configuring the router here as soon as I get it configured/tested and my notes are cleaned up. If all goes well, I can use the machine I’ve had acting as an SSH server (among other things) as a test bed for some play I want to do.

I can’t wait to get started