Anyone get OpenSSH (entware) working?

[cmkelley]

Not because I really need to, but just because I want to, I want to replace dropbear with OpenSSH on my RT-AC3200. I've installed openssh-keygen, openssh-moduli, openssh-server, and openssh-sftp-server from entware. I moved dropbear to port 2222 so I could still get into the router, generated the ssh_host_*_key private and public keys in opt/etc/ssh, and added the appropriate files to /jffs/configs;

group.add

sshd:x:22:

gshadow.add

sshd:*:22:

passwd.add

sshd:x:22:22:sshd privsep:/var/empty:/dev/null

shadow.add

sshd:*:0:0:99999:7:0:0:

Made the S40ssh script explicitly point to the configuration file (you'll have to trust me on this, for some bizarre reason pasting the line that starts sshd from S40ssd makes snbforums throw a you've been blocked message.)

I create /var/empty and chmod that to 700 in init-start

#!/bin/sh
# This script is the first that can possibly be run

mkdir /var/empty
chmod 700 /var/empty

I changed PermitRootLogin to yes in the sshd_confing file and restarted the router. Changing PermitRootLogin is the only change I made to the sshd_config file, everything else is as-installed from entware.

I can log into my "root" account (the name (routerroot) and password I use to log into the webgui) just fine through dropbear (it uses key exchange, not a password) on port 2222. I cannot for the life of me log in through ssh (port 22). It asks for a password, which it seems it ought not to do since I have the keys set up, and it won't let me in (permission denied). The system log shows;

Sep 17 10:45:27 sshd[12387]: Account routerroot has expired
Sep 17 10:45:31 sshd[12387]: error: Could not get shadow information for NOUSER
Sep 17 10:45:31 sshd[12387]: Failed password for invalid user routerroot from 10.29.3.69 port 56659 ssh2
Sep 17 10:45:34 sshd[12387]: Failed password for invalid user routerroot from 10.29.3.69 port 56659 ssh2
Sep 17 10:45:34 sshd[12387]: error: maximum authentication attempts exceeded for invalid user routerroot from 10.29.3.69 port 56659 ssh2 [preauth]
Sep 17 10:45:34 sshd[12387]: Disconnecting invalid user routerroot 10.29.3.69 port 56659: Too many authentication failures [preauth]

The account expired message is the one that has me stumped. From googling, It seems to be related to PAM? The default in sshd_config is UsePAM no.

What am I missing???

 

[oneleft.ak]

I am also experiencing the same issue on my R6300v2. I have attempted using passwd -u on the root account but it was already unlocked. Not sure where to go from here and would also appreciate some guidance. I created an account at this forum just for this particular issue.

 

[lahma]

@cmkelley or @oneleft.ak : Did either of you ever figure out or resolve this problem? I'm trying to get openssh-server running on my AX-88U and I'm running into similar issues. Since this thread is so old, I know it is probably unlikely I will receive a response but I thought it was at least worth a try.

 

[cmkelley]

@cmkelley or @oneleft.ak : Did either of you ever figure out or resolve this problem? I'm trying to get openssh-server running on my AX-88U and I'm running into similar issues. Since this thread is so old, I know it is probably unlikely I will receive a response but I thought it was at least worth a try.

It's been almost 4 years, so I don't remember the details, but I do remember figuring out it was a bad idea. There was IIRC a real reason not to do it. I do not remember at all what that was.

 

[smasher]

I got it running.

I tried posting a tutorial, but this web-site is choking on certain full-paths being part of a post, making it essentially impossible to share it here.

I used the contact-form to try and reach the site admins, and even that was choking when I tried to share examples of the problem. I had to send the examples base64 encoded. As soon as they get it fixed, I'll post what I've got. It is working so much better than dropbear.

Anyway, this bit of base64 (directly below) contains two file-names with full paths. I can't even post a comment that contains either one of them.

L2V0Yy9zaGFkb3cKL29wdC9ldGMvc3NoL3NzaGRfY29uZmlnCg==

 

[smasher]

Installing and running openSSH on Merlin -

Installing and running openSSH on Merlin

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[dave14305]

Installing and running openSSH on Merlin -

Installing and running openSSH on Merlin

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

You can use /jffs/configs/passwd.add and /jffs scripts/shadow.postconf instead of a custom script.

 

[ColinTaylor]

Interesting exercise, but I'm more intrigued by why you were having problems with dropbear in the first place ("I got tired of dropbear taking too long to establish a connection, and then dropping the connection every minute or two"). I can't say I've heard of anyone having these problems.

 

[smasher]

You can use /jffs/configs/passwd.add and /jffs scripts/shadow.postconf instead of a custom script.

I was hoping to find the utilities to do it the "right way", but opkg utilities (eg shadow-chage, shadow-useradd) are looking for files in the wrong directory and can't follow symlinks.

The files you're referring to don't exist anywhere on my system.

 

[smasher]

Interesting exercise, but I'm more intrigued by why you were having problems with dropbear in the first place ("I got tired of dropbear taking too long to establish a connection, and then dropping the connection every minute or two"). I can't say I've heard of anyone having these problems.

Seems to be a longstanding problem for some of us, and no one has figured out why.

I have observed that streaming audio through the router makes it worse, and streaming video through the router makes it much worse.

Some people have suggested that lack of entropy is the root cause, which pushed me to explore entware/optware/diversion, to get havegd running, and that really opened up the router to my own hacking… But none of it ever got dropbear working well. YYMV.

 

[dave14305]

The files you're referring to don't exist anywhere on my system.

Refer to the Custom Configs wiki page, if you want to understand the proper way to alter firmware-generated config files.

 

[smasher]

Refer to the Custom Configs wiki page, if you want to understand the proper way to alter firmware-generated config files.

Cool!

I guess that's a little bit less kludgey, even though it still relies on a line of sed to do something that chage should be able to do "the right way", but I've tested it and updated the wiki. Thanks.

 

[itpp20]

Interesting exercise, but I'm more intrigued by why you were having problems with dropbear in the first place ("I got tired of dropbear taking too long to establish a connection, and then dropping the connection every minute or two"). I can't say I've heard of anyone having these problems.

Maybe different versions of dropbear? never had an issue and I use 50+ dropbear's in a reverse ssh session (cgnat) to a ssh server over which 445(smb/tcp) and other life Cam traffic flows, when the connection breaks its the provider doing it (usually once a day). It may also be a ssh server issue.