Solved SFTP - Key Only access via FileZilla client to RT-AC68U

[learning_curve]

The thread title is what I'd like to achieve i.e. SFTP access to my RT-AC68U Router via a FileZilla client, but only using a passphrase protected private key and its paired public public key, so not using a User ID and password for SFTP access. AFAIK Dropbear that is supplied by Asus by default for SSH, is effectively a 'basic' sshd server, for lower resource devices (like my router!), so it does NOT support SFTP by default. Completely replacing Dropbear with OpenSSH is obviously a non-starter. However, I believe that it's possible to compile only the sftp-server from the openssh package and then run that with Dropbear. Has anybody done this already? If so, can the steps be posted on here?

As a secondary alternative, is anybody successfully using FTPS (FTP-SSL / FTP Secure) but with key only access (via a FileZilla client) but, without then needing to use a USB (device) on their router and, all of the Asus GUI, USB functionality i.e. USB Application - FTP Share (router url: /Advanced_AiDisk_ftp.asp). Again, If so, can you share that?

FWIW - SSH access, with the additional security levels mentioned above, works perfectly, on my RT-AC68U, just by using the existing Asus GUI SSH (aka Dropbear) settings:

Enable SSH: LAN Only
Allow SSH Port Forwarding: No
SSH Port: 22 (SSH access via LAN only, plus a passphrase protected private key and its paired public public key, negates any real need for a port number change)
Allow Password Login: No
Authorized Keys: ~~ Public Key Added

FWIW For all the reasons mentioned, those SSH settings, don't provide what's needed to achieve with SFTP. I do have 7 other, SFTP (Remote not LAN) server connections within FileZilla (plus all of their equivalent fully functional equivalent SSH connections via Terminal) which, are all using only unique, passphrase protected private keys and their paired public keys, for access, but.... They are ALL OpenSSH not Dropbear server / client connections, which is, I'm very sure, the reason for the difference between the two!

 

[thelonelycoder]

The thread title is what I'd like to achieve i.e. SFTP access to my RT-AC68U Router via a FileZilla client, but only using a passphrase protected private key and its paired public public key, so not using a User ID and password for SFTP access.

Easy.
Two ways to accomplish this:
1. Use WinSCP instead of Filezilla to access the router using the scp protocol. No additional Software on the router is needed.

2. Have Entware installed with package openssh-sftp-server added to allow sftp protocol:
- Install Entware if not already installed on your router. Use amtm to install it.
- Then install Entware package openssh-sftp-server to allow sftp access (Filezilla does not support direct scp access.
- In the ssh terminal enter this:

opkg install openssh-sftp-server

Then use Filezilla sftp protocol to access your router.

This all assumes that you already setup the passphrase protected private key on your router.

 

[learning_curve]

Easy.
Two ways to accomplish this:
1. Use WinSCP instead of Filezilla to access the router using the scp protocol. No additional Software on the router is needed.

2. Have Entware installed with package openssh-sftp-server added to allow sftp protocol:
- Install Entware if not already installed on your router. Use amtm to install it.
- Then install Entware package openssh-sftp-server to allow sftp access (Filezilla does not support direct scp access.
- In the ssh terminal enter this:

opkg install openssh-sftp-server

Then use Filezilla sftp protocol to access your router.

This all assumes that you already setup the passphrase protected private key on your router.

Brilliant! Thanks @thelonelycoder that's perfect. It will be the 2nd option for me, as all of the devices that we have & use, are MacOS not Windows (WinSCP is still Windows only I think). Using ssh-keygen on MacOS to create any new passphrase protected private keys that may / may not be needed for this, is pretty easy (as you'll no doubt already know!) We can then store them within funtoo keychain to save future login input time etc and FileZilla (MacOS version) will transform them into .ppk format keyfiles, when we create a new SFTP 'site', so that FileZilla can correctly present the keys, when access challenged.

 

[MartinF]

Easy.
Two ways to accomplish this:
1. Use WinSCP instead of Filezilla to access the router using the scp protocol. No additional Software on the router is needed.

2. Have Entware installed with package openssh-sftp-server added to allow sftp protocol:
- Install Entware if not already installed on your router. Use amtm to install it.
- Then install Entware package openssh-sftp-server to allow sftp access (Filezilla does not support direct scp access.
- In the ssh terminal enter this:

opkg install openssh-sftp-server

Then use Filezilla sftp protocol to access your router.

This all assumes that you already setup the passphrase protected private key on your router.

Sorry to barge in on someone else's party... I've been trying to get sftp to work, and have installed the package. If I run that command now, I get: "Package openssh-sftp-server (9.0p1-1) installed in root is up to date."

However, it doesn't seem to be running, or perhaps there's more configuration. I have public/private keys installed, and can ssh into the router from my Android phone, Linux desktop, and Linux laptop. Note, non of these are Windows. But none of these can connect via sftp.

So, is there another step to make the sftp server actually run? This is assuming it's not running.

 

[Martinski]

However, it doesn't seem to be running, or perhaps there's more configuration. I have public/private keys installed, and can ssh into the router from my Android phone, Linux desktop, and Linux laptop. Note, non of these are Windows. But none of these can connect via sftp.

So, is there another step to make the sftp server actually run? This is assuming it's not running.

While the "openssh-sftp-server" package can be installed by itself, it does *not* run by itself. You also need to have the OpenSSH Server installed, configured & running because the SFTP Server runs as a subsystem of the OpenSSH Server.

EDIT: See correction from @ColinTaylor in the next post.
Everything else below still applies if you want to install OpenSSH Server and want SFTP Server to work with it.

*NOTE*:
Some folder paths like this "/opt/etc /ssh" intentionally have a blank space so that this post could pass the forum's filter.
------------------

You need to install all the following packages:

opkg install  openssh-sftp-server  openssh-server  openssh-keygen

Now, you need to find & make sure the following settings are defined in the "/opt/etc /ssh/sshd_config" configuration file:

FINDstr="Port|ListenAddress|Subsystem|^HostKey|AuthorizedKeysFile" ; \
grep -w -E "$FINDstr" /opt/etc /ssh/sshd_config

#Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /opt/etc/ssh/ssh_host_rsa_key
HostKey /opt/etc/ssh/ssh_host_ed25519_key
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /opt/lib/sftp-server

Here are the entries configured for a specific port # & router IP address:

FINDstr="Port|^ListenAddress|Subsystem|^HostKey|AuthorizedKeysFile" ; \
grep -w -E "$FINDstr" /opt/etc /ssh/sshd_config

Port 51234
ListenAddress 192.168.250.1
HostKey /opt/etc/ssh/ssh_host_rsa_key
HostKey /opt/etc/ssh/ssh_host_ed25519_key
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /opt/lib/sftp-server

Next, you need to generate the required host keys using "ssh-keygen" command tool.

/opt/bin/ssh-keygen -t ed25519 -f /opt/etc/ssh/ssh_host_ed25519_key

For SSH Server open to "LAN-ONLY" connections, a 2048-bit RSA key is sufficient:

/opt/bin/ssh-keygen -t rsa -b 2048 -f /opt/etc/ssh/ssh_host_rsa_2048_key

For SSH Server open to "WAN & LAN" connections, I'd suggest a 4096-bit RSA key:

/opt/bin/ssh-keygen -t rsa -b 4096 -f /opt/etc/ssh/ssh_host_rsa_4096_key

Depending on what you decide above, set the appropriate RSA host key.
For example:

ln -sn /opt/etc/ssh/ssh_host_rsa_2048_key  /opt/etc/ssh/ssh_host_rsa_key

Next, you need to complete the setup of the OpenSSH Server by defining the following commented-out entries in the config file:

FINDstr="PubkeyAuthentication|AuthenticationMethods|PermitEmptyPasswords|#PasswordAuthentication|#PermitRootLogin|#KbdInteractiveAuthentication" ; \
grep -w -E "$FINDstr" /opt/etc /ssh/sshd_config

#PermitRootLogin prohibit-password
#PubkeyAuthentication yes
#PasswordAuthentication yes
#PermitEmptyPasswords no
#KbdInteractiveAuthentication yes

Set the above config file entries as shown below:

PubkeyAuthentication yes
AuthenticationMethods publickey
PermitEmptyPasswords no
PasswordAuthentication no
PermitRootLogin prohibit-password
KbdInteractiveAuthentication no

Next, create the "/jffs/configs/passwd.add" file:

#################################################
# passwd.add [for OpenSSH Server user account].
#-----------------------------------------------#
sshd:x:0:0:OpenSSH Server:/dev/null:/dev/null

Get my "/jffs/scripts/shadow.postconf" shell script from PasteBin website (or, you can create your own if you want, of course):

mkdir -m 755 -p /jffs/scripts
curl -kLSs --retry 3 --retry-delay 5 --retry-connrefused  pastebin.com/raw/qzmRfYU1 | tr -d '\r' > /jffs/scripts/shadow.postconf
chmod 755 /jffs/scripts/*.postconf

Now, to set & verify the final configuration run the following commands:

cd /jffs/scripts  ;  ./shadow.postconf -checkpswdfile

FINDstr="^Port|^ListenAddress|^Subsystem|^HostKey|^AuthorizedKeysFile|PubkeyAuthentication|AuthenticationMethods|PermitEmptyPasswords|^PasswordAuthentication|^PermitRootLogin|^KbdInteractiveAuthentication"

/opt/sbin/sshd -T | grep -w -i -E "$FINDstr"

In the output of the last command you should see something like this:

port 51234
listenaddress 192.168.250.1:51234
permitrootlogin without-password
pubkeyauthentication yes
passwordauthentication no
kbdinteractiveauthentication no
permitemptypasswords no
authorizedkeysfile .ssh/authorized_keys
hostkey /opt/etc/ssh/ssh_host_rsa_key
hostkey /opt/etc/ssh/ssh_host_ed25519_key
authenticationmethods publickey
subsystem sftp /opt/lib/sftp-server

If everything looks OK, you can start the OpenSSH Server:

/opt/etc/init.d/S40sshd start
ps -w | grep "sshd" | grep -v "grep sshd"

HTH

 

[ColinTaylor]

While the "openssh-sftp-server" package can be installed by itself, it does *not* run by itself. You also need to have the OpenSSH Server installed, configured & running because the SFTP Server runs as a subsystem of the OpenSSH Server.

This is incorrect. As per the various posts on these forums, all you need is to install openssh-sftp-server. There is no need to "run" it because it interfaces with dropbear. "It just works". I don't know why the OP couldn't get it to work unless it's an issue specific to his setup. AFAIK nobody else has ever had a problem with this.

N.B. I'm still on 386.5_2 so perhaps something broke it in the current firmware?

EDIT: I've just checked and RMerlin added support for Entware's sftp server to dropbear on April 2013.

 

[Martinski]

This is incorrect. As per the various posts on these forums, all you need is to install openssh-sftp-server. There is no need to "run" it because it interfaces with dropbear. "It just works". I don't know why the OP couldn't get it to work unless it's an issue specific to his setup. AFAIK nobody else has ever had a problem with this.

Yes, you're right & I stand corrected. When I installed the SFTP Server & tried it before, the OpenSSH Server was already installed & running on the router with a separate authorized key file (i.e. authorized_keys2), and I found that FileZilla client's private key was not the one for Dropbear's public key set in the GUI. This likely prevented SFTP from working with Dropbear. Once I set the "correct" keys the same for Dropbear, SFTP started to work with it. Also, this bit of info about the "Subsystem" setting in the "sshd_config" file led me to the wrong conclusion.

Anyway, I believe I understand what happened in my particular case, and I learned something new today. Thanks.

 

[MartinF]

This is incorrect. As per the various posts on these forums, all you need is to install openssh-sftp-server. There is no need to "run" it because it interfaces with dropbear. "It just works". I don't know why the OP couldn't get it to work unless it's an issue specific to his setup. AFAIK nobody else has ever had a problem with this.

N.B. I'm still on 386.5_2 so perhaps something broke it in the current firmware?

EDIT: I've just checked and RMerlin added support for Entware's sftp server to dropbear on April 2013.

I installed the entware package, and used the command "opkg install openssh-sftp-server" which seems to be successful; if I run it again, it replies "Package openssh-sftp-server (9.0p1-1) installed in root is up to date." I have installed all the keys to make ssh work correctly from all my devices, but when I try to use sftp, there is no evidence of a response in my logs that I can find, and the attempt always fails. That's why I thought it was not running.

I'm beginning to think using the USB port for anything other than simple system tasks is a waste of time, and perhaps my router (AX88U) isn't up to the task. I just wanted a simple media server, and I'm using an ancient Dell laptop running Linux now, which has been working for several months, so I'll just hope it doesn't break down before I get another old laptop to replace it.

 

[ColinTaylor]

I can only suggest that you turn on debug logging on your client and see at what point it's failing. Also set "Log only messages more urgent than" on the router to "debug".

What firmware version are you using?

 

[MartinF]

I can only suggest that you turn on debug logging on your client and see at what point it's failing. Also set "Log only messages more urgent than" on the router to "debug".

What firmware version are you using?

I have the AX88U, with the latest firmware. Thanks for the tip about log messages.

However, I've now discovered something that has me stumped so far. For my desktop, I have an entry in my hosts file for "router" at 192.168.2.1. If I enter "ssh router" (or "sftp router"), it connects. If I enter "ssh 192.168.2.1", it does not connect. I can also connect using "router.asus.com", but only locally, of course.

It's probably enough to lead me to a solution with a bit of work. I only know the basics about rsa keys, using keygen, and how to use the keys, but not so much about the specifics. However, I'm sure I'll learn.

The problem is my real goal is to be able to use my phone to copy media files from a USB drive, and I can't even try this - but it didn't work using "router.asus.com", so there may be other issues there. I plan to re-generate the keys, and try using only the single pair to reduce the confusion.

 

[learning_curve]

FWIW etc I never did post the end result, so I've rectified that here and now, just in case others have the requirement etc
As I mentioned in my own Post #3 above, I did indeed follow option 2 from Post #2 above by @thelonelycoder (installed Entware via amtm and then installed the openssh-sftp-server package).
I utilised the existing passphrase protected private & public keys that I already used for SSH (which FileZilla then converts to .ppk format in order to provide SFTP) and that's all that was needed.
No other work necessary. SFTP - Key only access via FileZilla was achieved & has been use ever since i.e. Back then, on my RT-AC68U and then on my RT-AX86U, ever since I swapped routers.
The answer to the question, in the good point, well made at the end of this comment:

~ There is no need to "run" it because it interfaces with dropbear. "It just works". I don't know why the OP couldn't get it to work unless it's an issue specific to his setup. AFAIK nobody else has ever had a problem with this.

is quite simple really... Back then (at the time of posting the question) I didn't use Entware at all. Once I did, all was easy and just as described (by all) above.

 

[sfx2000]

dropbear and OpenSSH-sftp server are two different worlds... and they don't talk to each other.

What you need to do is disable dropbear, and let OpenSSH handle both shell access and SFTP...

 

[RMerlin]

dropbear and OpenSSH-sftp server are two different worlds... and they don't talk to each other.

Openssh-sftp is compatible with dropbear. Quite a few persons are using it.

SFTP server

SFTP server This article relies on the following: * Accessing web interface / command-line interface * Managing configs / packages / services / logs Introduction * This how-to describes the method for setting up SFTP server on OpenWrt. * It relies on Dropbear and openssh-sftp-server...

openwrt.org