Dropbear/ssh without remote password

[huotg01]

I want to Rsync through a ssh tunnel without entering the remote password.

From my reading, in order to do that I have to generate a pair of RSA keys.
In AsusWRT/Merlin, the ssh engine is called Dropbear, and the program used to generate the key pair is named Dropbearkey.

dropbearkey -t rsa -f ~/.ssh/id_rsa

will add a file (id_rsa) with the Private key in it. The file is located in the "home/.ssh/" folder. If there is already a id_rsa file in the folder, Dropbearkey will stop on error. You then have to remove the existing file before running again Dropbearkey.

At the same time Dropbearkey will also print on the terminal the Public Key.
We have to copy/paste this key to the remote router, using the AsusWRT GUI, in the field "SSH Authentication key" by going to the Administration menu, System tab. In fact the key will also be "copied" by Asuswrt to the authorized_keys file of the remote root.

That done, I should be able to ssh log on the remote Router with a command like:

ssh admin@xxxx.asuscomm.com

If everything goes well, you will be logged on the remote router. If you are asked to enter the remote password, and then you are logged in the remote after entering it, then it means that your ssh command is ok, but not the keys pairing process.

I read somewhere (https://www.linux-tips.org/article/66/dropbear-rsa-key-problem)

Using public key authentication with dropbear ssh client is a little different from regular openssh clients. Dropbear doesn't lookup users .ssh directory for user's private key. You should expicitly say which private key will be used for session with the -i parameter.

I also found out that this "family" has also a member called dbclient. It can be used to connect to a remote (like ssh) with the command:

dbclient -i ~/.ssh/id_rsa admin@xxxx.asuscomm.com

Therefore you just have to specify where is the private key (option -i). After seeing that, I just replace the dbclient by ssh:

ssh -i ~/.ssh/id_rsa admin@xxxx.asuscomm.com

and it works (quite normal: it's probably just a symlink...).

If you try the same thing without the "-i" option, no luck. You will asked for the remote password. There is an option with dropbear that allows to specify where is the private key file, with the command:

dropbear  -r ~/.ssh/id_rsa

When trying it I got the errors:

Dec  2 10:12:35 dropbear[6370]: Failed listening on '22': Error listening: Address already in use
Dec  2 10:12:35 dropbear[6370]: Early exit: No listening ports available.

Anyway, it works when using the option "-i" to specify where is the private key. I'm happy because I will be ok to fire Rsync rocket with the command:

rsync -avz -e "dbclient -i /home/root/.ssh/id_rsa" /SourceFiles admin@xxxxx.asuscomm.com:/

Enough for me for today.
Many informations I used today come from http://troy.jdmz.net/rsync/
I will also use that site for the Rsync backup commands.

I someone has/had any success changing the default private key location for Dropbear, or knows where is the configuration file of Dropbear, or knows how to start and stop Dropbear, please add it to this thread.

@opheliagrimm This is not the draft procedure we talked about. I started this thread with a problem, but when describing it, I finally found out an interesting information about Dropbear. That leaded to a bypass, and we no longer have a problem. From now on I will work from the wiki.

 

[huotg01]

As a reminder:

• http://wiki.openwrt.org/doc/howto/dropbear.public-key.auth
• https://www.linux-tips.org/article/66/dropbear-rsa-key-problem
• http://linux.die.net/man/8/dropbear
• http://wiki.openwrt.org/doc/uci/dropbear
• http://www.dd-wrt.com/wiki/index.php/Rsync_Backup_Server
• http://manpages.ubuntu.com/manpages/trusty/man8/dropbearkey.8.html
• and http://forums.smallnetbuilder.com/showpost.php?p=61104&postcount=17 by @TeHashX

jffs http://forums.smallnetbuilder.com/showthread.php?t=11044

 

[opheliagrimm]

Fantastic job.

Can't wait to try the steps once you're done with the wiki.

Then I can move up to the latest firmware again.

 

[Pila]

I needed ssh to and from the Asus with Merlin fw router for different uses. This post is the best info on the subject I could find.

Original post works but has 2 problems. 1) dropbear never generates id_rsa.pub file, hence, never saves it anywhere. 2) whatever ssh authorisations were done, to the or from the router, all is gone after a reboot. Incoming only are simple do fix (at the end of my post). So, I tweaked the process a bit. Jffs and SSH must be enabled in GUI.

Here is how I got dropbear ssh to work fully, even after a reboot.

Create .ssh folder where it will not get lost

mkdir /jffs/.ssh/

Create the private key in the above folder. Just hit enter to any questions or do as you need

dropbearkey -t rsa -f /jffs/.ssh/id_rsa

Create a public key also there

dropbearkey -y -f /jffs/.ssh/id_rsa | tail -n2 | head -n1 > /jffs/.ssh/id_rsa.pub

Just in case, check id_rsa.pub and verify it contains only the key

cat /jffs/.ssh/id_rsa.pub

Now let's get connected to a remote device. In my following examples, replace root@192.168.2.9 with your data. I am lazy, and all of this this is copied from my own documentation

If there is no ssh folder at the remote device, create it. If it exists, skip this step. Confirm acceptance and enter password for the remote when asked.

ssh root@192.168.2.9 mkdir -p ~/.ssh

Now copy the router's public key there

cat /jffs/.ssh/id_rsa.pub | ssh root@192.168.2.9 'cat >> ~/.ssh/authorized_keys'

Done. To not keep forgetting things, create /jffs/scripts/services-start and enter the following. Then save in Unix file format and make executable. I do such things from Windows with WinSCP and Crimson Editor.

#!/bin/sh
# /jffs/scripts/services-start
cp /jffs/.ssh/known_hosts /home/root/.ssh/known_hosts
cp /jffs/.ssh/authorized_keys /home/root/.ssh/authorized_keys

From now on, to connect to the remote, enter:

ssh -i /jffs/.ssh/id_rsa root@192.168.2.9

Now, make all authorisations you need, from the router and to the router. When done, copy files to our safe place.

cp ~/.ssh/known_hosts /jffs/.ssh/known_hosts
cp ~/.ssh/authorized_keys /jffs/.ssh/authorized_keys

Should you add some authorisations at a later time, just copy them again to the jffs with previous commands.

Should someone need only incoming (from other devices to the router) authorisations, they can just make needed connections and then copy and paste the contents of the authorized_keys file to the Router GUI: Administration -> System -> SSH Authentication key. Apparantly, if you enter too many keys here - router reset might be in order.

Why you must be aware of this "half-feature"? Whenever you save this page (regardles of what you did there), it will empty your authorized_keys file. Actually it will fill it with the content of the abovemenioned field, which would normally be empty. Just run a services-start again. Better do it this way than having to handle all ssh manually (ssh off in the WebUI).

 

[Marko Polo]

Cannot get key authentication to work in Dropbear. I don't wanna tunelling or connecting two routers, I simply wanna connect to router via keypair.
I generated the private key as above, added public key to authorized. As I got it, putting public key to router webgui field SSH Authentication key is equivalent to manual copying as

dropbearkey -y -f "${KEY_DIR}/id_rsa" | grep "^ssh-rsa " > "${KEY_DIR}/id_rsa.pub"

But I cannot connect. Guacamole requires private key in a text form, but in id_rsa I see only a mess in unknown encoding

   ssh-rsa     ¸ª{0ã×â¥S/áí¶Ø!Q‰¢>Z;Ø°4P”‚lû4¢rü“’¢‹=Fœ–O,?ÍŪZzXÅ2<kë7¦¿Jà)×ÙÄ•HeoL†S GèŽêŠ/-hvlÄ€ï´Ü/è§fY—HGtó³ir†CCù-\š'Î÷kÁ‚ç5Zµ}ã©›Þúø‰çÐYä1@·ÓÖº@Á D(%}à{Ìã\j¾Ž%öŽDâEZ1ÔÂÍÉÜSÊ·®'^ó"œ(u•`û]_âÏûX0þ%”±A,üéŽ<:'Ý—èhrfÅ#+ xc;tžž›7ßÚEªóµÇ   '<8É Ž=iYÝÃ'*h‰g¼²r~¹ò™ÊhÓ-¬Êžïvßó¯¬É
ÉáŸ[<ú¡NÊn¶Ú>¥ç×sm©Ûúœß>(@Ê!Z†ËåV»^ÙkyéqĆͷ˜Tr½>nmú&¶³$„Ý?V¿v,ÚWú‚Žk\–!³ÜÒ˜)Z•æëÔ‚5µ¼e“ÇœÎþV¹þÿ?>×Ú‚ha#±ö‘v¢p±&#¢Šæ_ÖƧk0ç‘¿,8ߝ¶õæÆú»$sŠÉ‡èbŸjœ    ‰n!,Ätßçõä/›`nó¶`÷ßæöñ$Üí¬«¢—¼\6²çüJÐêÉ<É    ùß¼:cui™”û¥#\    ç
<Ü5TÎ5›”zý’$è@°WùÄ´ÍËY>?"±¤0"
ì©*O.–ž-Q(½p
0»7"öò_CvÃÇlŽ5Æ™½ÿ? ŽY"ˆÊ^A …«VæPÔ;H€‡I¹’Ì4Yìüúú&SEÓ    ½1|_ã¿9tùÃMEàÄÍÕ@Ñ‘;£cüŽ,˜;º
*¼_È©B ðï¢l“XÑ «"ôã…ÎÞ÷ÒØ_P;žÔÜ8¶&؉÷0Ïñ6xy*ÄŽ€pÛµ YÜ+žËð^ôËþÿhƽyN\vÇ ñ¹õ¶{“½

which Guacamole doesn't accept.

If I try to connect via ssh in console it requires passphrase which I didn't set

polo@mara:~$ ssh -i ~/id_rsa 192.168.1.1 -p 29
Enter passphrase for key '/home/polo/id_rsa':

Any suggestions? Thx.

 

[RMerlin]

Use putty-gen to generate your key.

 

[Marko Polo]

Thanks, that worked.

 

[Marko Polo]

Another follow-up question: does Dropbear have ssh-agent or equivalent which allows using config file?
I didn't find ssh-add command or anything similar.

 

[RMerlin]

Another follow-up question: does Dropbear have ssh-agent or equivalent which allows using config file?
I didn't find ssh-add command or anything similar.

Dropbear does not have any configuration file. It's a very basic ssh daemon.

 

[calzor suzay]

On Pila's solution do I need this on both nodes?

It worked, I bounced the node (not primary) and it went back to prompting for the password

To not keep forgetting things, create /jffs/scripts/services-start and enter the following. Then save in Unix file format and make executable. I do such things from

#!/bin/sh
# /jffs/scripts/services-start
cp /jffs/.ssh/authorized_keys /home/root/.ssh/authorized_keys

 

[calzor suzay]

Ok if I reboot the node it prompts for the password.
I can then manually run /jffs/scripts/services-start whilst logged on as my admin account, it'll then put the file back and it'll work.

What it won't do is run it by itself at reboot, any idea why, what I need to do?

 

[Jeffrey Young]

Wish I had seen this post before last weekend. Would have saved me a few minutes. I was setting up a script on my AC86U to SSH into my NAS and run a shutdown command when the router got a shutdown command from NUT. Took me a bit to figure out that dropbear does its own thing for keys compared to the mainstream SSH. Thanks to google though, I did get it working.

Great tutorial! Thumbs up for sure.

 

[calzor suzay]

Solved this in the end as per Thread here if anyone picks this up one day when using AiMesh.

 

[Mikii]

Thank you so much! I was finally able to connect from my Asus to my Sinology to run a script there!

Mikii