SSH with id_rsa.pub (public key)

[pedeb04]

Currently I ssh into the router by having enabled ssh and copied my id_rsa.pub on the asuswrt-merlin web interface.
After installing the entware package Openssh-client on the router I thought I would be able to copy the public key to home/.ssh/authorized_keys. This is how I do it between my linux machines.
But after installing openssh-client on the router there is no .ssh directory.
Which got me thinking where does asuswrt-merlin software store the id_rsa.pub I copied to the web interface?

 

[garycnew]

[SOLUTION] Asuswrt-Merlin DropBear SSH-Key Based Auth To/From AiMesh Nodes & Workstations Tutorial

 

[dave14305]

Is there a /opt/root/.ssh/authorized_keys file after installing Entware’s version?

 

[pedeb04]

Is there a /opt/root/.ssh/authorized_keys file after installing Entware’s version?

No. When I cd into opt it takes me to me to /tmp/mnt/Merlin/entware# (mounts USB SSD) as if its some sort of symbolic link?
However, under the root are two hidden files.
/tmp/mnt/Merlin/entware/root# ls -a
. .. .inputrc .profile

 

[pedeb04]

Is there a /opt/root/.ssh/authorized_keys file after installing Entware’s version?

 

[pedeb04]

Based on garycnew reply I did find .ssh and authorized_keys under /tmp/home/root
/tmp/home/root/.ssh# ls
authorized_keys

I am assuming this is where asuswrt-merlin software stores id_rsa.pub files when I copied them into the UI.
Sounds like I don't need the openssh-client package and rather than using the UI to copy id_rsa.pub files I could copy from the terminal to (router) /tmp/home/root/.ssh/autherized_keys

 

[dave14305]

I am assuming this is where asuswrt-merlin software stores id_rsa.pub files when I copied them into the UI.

Entries you paste into the UI get saved in nvram (sshd_authkeys) and overwrite the /tmp/mnt/root/.ssh/authorized_keys file when dropbear is started. There is no persistence if you modify that file directly. You have to upload the key to the UI to make it stick.

 

[Jeffrey Young]

@pedeb04, I run into a similar issue as you, except with the known_hosts file. I use scp on the router to distribute SSL certificates to my various servers on renewal thus I have to keep an updated known_hosts file to prevent scp from asking to add the ESA fingerpint (my renewal script runs twice a day via a cron job). Except as you have figured out, the authorized_keys and known_hosts files in /root/.ssh are dynamically built each time the dropbear service starts. Welcome to the world of embedded Linux systems.

What I did .... Once I had a built known_hosts file, I copied it to the jffs partition where the file will persist. Then, in the services-start script, I copy the jffs copy of known_hosts to the /root/.ssh directory. I don't see why this would not work for the authorized_keys file either.

Of course, the one gotcha is "this is Asus" and you never know when Asus will restart dropbear or if the Asus ASD software will intervene, however, touch wood, I have not had an issue.

Just a thought

 

[Jeffrey Young]

Oh ya, don't forget that the Router uses dropbear and not the regular SSH function that most Linux distros use. You may need to convert your SSH keypairs to a format compatible with dropbear. See this link for a a utility that I use. I beleive it is part of the router firmware. @garycnew mentions it in the post his referenced above.

dropbearkey: create private keys for the use with dropbear(8) or dbclient(1) - Linux Manuals (1)

dropbearkey generates a RSA, DSS, or ECDSA format SSH private key, and saves it to a file for the use with the Dropbear client or server. Note that some SSH implementations

www.systutorials.com

 

[pedeb04]

Thanks everyone for your help, I have learnt a lot from your responses.
But considering that I just wanted treat the router as any other linux device on the network, I am going to keep it simple and stick to pasting the public keys via the the UI.
Getting intimate with the embedded linux system on the router looks like a big time-soak, who names a ssh tool 'dropbear' anyway!!!!