Save SSH credentials

[Vishnu Rao]

I have a USB connected hard drive which serves as the dumping ground for pictures & videos captured on all phones in the home. The phones back up to the SMB location via an app.

The pics & vids are reviewed once a week and then rsynced over ssh to a larger NAS. My goal is to automate this via a script cronned to run once week.

I have the script ready, but the challenge is that the router does not save the ssh credentials. It asks me if I trust the host and then enter password everytime I run the script.

As shown below it first asks me if i trust the host.
dmin@RT-AC1900P-4900:/jffs/scripts# sh my_rsync.sh

Host '192.168.1.4' is not in the trusted hosts file.
(ssh-ed25519 fingerprint sha1!! 1e:43:16:bc:5c:30:71:04:1b:32:c9:b7:1d:64:1f:b9:36:e1:3d:a7)
Do you want to continue connecting? (y/n) y

1. How do I add the host to the trusted hots file? I think this gets deleted everytime I reboot the router.
2. How do I save ssh credentials and preserve them from being erased at reboot?

 

[John Davis]

the inbound ssh authorised keys are stored in /jffs/nvram/sshd_authkeys and copied to /tmp/home/root/.ssh/authorized_keys at boot

for outbound keys you're going to have to do something similar - store the private key in /jffs/nvram or you external drive and then write a script to copy it to /tmp/home/root/.ssh/id_rsa (id_dsa depending on the cipher you're using) on boot

the other option is to specify the identity on the command line via the -i option and directly access the private key in /jffs/nvram or stored on your external drive (I'd probably go for storing it on the external as ssh is finicky about permissions on both the file and the directory it's stored in and will refuse to use a key if it's not right)

-i identity_file
Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files).

 

[JT Strickland]

I think Syncthing could do all of that for you in near real time.

 

[Vishnu Rao]

Thanks for your response. I am not sure I fully understand the instructions.


I think the incoming ssh authorized keys are for the host that I am connecting to. Please correct if this is incorrect.

After I did a manual rsync over ssh, I looked at files in /tmp/home/root/.ssh/ i.e. authorized_keys & known_hosts file. the known_hosts contained info on the host I was trying to connect. But the authorized_keys file was empty. However I copied these over to /jffs/nvram/ and renamed authorized_keys to sshd_authkeys. I did a reboot. I expected them to be copied from nvram to the /tmp/home/root/.ssh/ folder. But it was empty. Is the copy at boot automatic or should I run a script to copy as well?



I am still trying to understand the -i option. I will update you later this week.

 

[John Davis]

authorized_keys is for inbound connections TO your router, known_hosts is saved fingerprints for hosts you’re connecting TO, but is only half of what you want to be able to rsync over ssh without needing to enter credentials, you also need to generate a local public/private key pair on the router (or generate them somewhere else and copy them there) and then also install the public key on the NAS - that will allow password-less secure login for ssh (and hence also for rsync over ssh)

other option is to fall back to the old (insecure) original rsync protocol (not rsync over ssh) - no need for keys, and faster (no encryption overhead) - if you NAS supports it (synology does I know). Obviously insecure but if it’s all inside your LAN not a huge security risk

 

[gerardr]

I setup a SOCKS5 proxy on my routers using SSH. I keep the SSH credentials on the USB drive and use the 'script_usbmount' nvram setting to define a script to run when the USB drive gets mounted. That script then copies the known_hosts, config and identity files to /root/.ssh and makes sure that they're only readable by the owner (aka: 'chmod 600' or 'chmod og='). It then creates the crontab entries for the proxy start and stop times, since these disappear each reboot, too. Note that the 'script_usbmount' nvram setting is available in both stock AsusWRT and 'asuswrt-merlin.ng' firmwares so it's pretty stable and you don't have to install Optware or Entware or even enable scripts in 'asuswrt-merlin.ng' to use it. It looks like you could do something similar.