SSH Access to OpenWRT without a Password

OpenWRT is an open source router firmware that can be installed on most consumer WiFi routers for increased security, functionality, and performance.

One way to configure OpenWRT is through a web interface.  The other, more powerful, way to configure it is through SSH.  OpenWRT comes with dropbear for SSH.  Dropbear is a optimized, reduced functionality, SSH server.  So, the typical methodology of creating public/private key pairs for authentication does not always work.  Here is what I have found to work:

  1. Assume that the OpenWRT router has an assigned IP address of 192.168.1.1
  2. In Cygwin, or in a Linux terminal, run the following commands:
    • ssh-keygen
    • ssh-copy-id -i root@192.168.1.1

The first command creates a 2048 RSA key, which is the strength recommended by NIST for RSA.  To login without a password, just choose the defaults by pressing enter at each prompt.  The second command copies the public key to the OpenWRT router.  Now, log in to the OpenWRT router with SSH:

ssh root@192.168.1.1

You will be prompted for a password.  Use the password that you set up for the OpenWRT web interface.

Once logged into the router, execute the following command:

cp /root/.ssh/authorized_keys /etc/dropbear/authorized_keys

This will copy the public key to the location expected by dropbear.  This has to be done because ssh-keygen puts the key in the directory expected by openssh, not dropbear.

Now, exit from the router:

exit

Back that the Cygwin or Linux terminal, try logging into the OpenWRT router again with SSH:

ssh root@192.168.1.1

This time, you should be able to get in without a password.

Finally, use the OpenWRT GUI (under System->Administration) to turn off SSH password authentication and disallow the root user to login with a password.  Test to verify password authentication is turned off by typing the following in Cygwin or a Linux terminal:

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no root@192.168.1.1

You should get an error that says root@192.168.1.1: Permission denied (publickey).

Two things to note:

  1. Unfortunately, OpenWRT makes it difficult to create anything but a root user.  There are ways to do so, however.  Google it.
  2. I tried generating RSA keys larger than 2048 bits.  However, they did not seem to work with dropbear.

Browser Add-ons — Read Terms and Conditions

I found this wonderful sounding add-on to Chrome this morning. It lets you select one or more Gmail emails to convert to PDF. Then, you can download the PDF or put it on Google Drive. I was quite excited and downloaded the add-on.
 
When I installed it, I learned that I have to create a CloudHQ account and give CloudHQ permissions to have read-only access to my emails.
 
No. Just no.
 
Always read Terms and Conditions when installing anything on your computer. The more companies that have access to your information, the more likely you will become a victim to a data breach and identity theft.
 

Avoid Reusing Passwords

Do you use the same password on multiple websites?
 
If so, it is possible that hackers can download a list of email addresses and associated passwords with your information. Are you on a list like this?
 
This is the reason that everyone should use strong passwords along with a password management program like Keepass. Keepass helps you keep track of passwords so that it is easier to use unique ones for each website.
 

Google Knows…

If you have an Android phone, Google likely has a history of most of the places that you have been over the past 10 years.  You can view that history by signing onto your Google account (via Gmail, etc.) and then going to:

https://myactivity.google.com/more-activity

Under location history, click “View Timeline.”  A map will appear with dots showing where you have been.   Based on my map, it appears that the history may only include locations within the United States and Canada.  And there are missing places.  But, the accuracy of the information displayed is quite refined.  For example, I can zoom into a location I visited on a business trip a few years ago and can tell the hotel I stayed at.  I can tell when I arrived at the hotel for the evening and when I left for the airport the next morning.

This location tracking is turned on by default on Android devices.  It can be turned off in theory.  But, it is entirely possible that Google collects and retains this information anyway.

General Links

Software Development

How to Configure Eclipse for Python

Information Security

Terms of Service You Did Not Read

Networking

How to Spoof DNS on a LAN to Redirect Traffic to Your Fake Website

WASC Threat Classification – A dictionary and description of various website attacks

Other

US Mobile Cell and Data Plans – Amazing prices if you know exactly what you need.

Fund and Grow – This company specializes in business finance through business credit cards.  Interesting idea.  I cannot recommend them one way or the other.

HourOfCode  – Short programming oriented courses for kids – or kids at heart

3D Printed Gadgets for Woodworking

Tools

15 Tips On How to Use ‘Curl’ Command in Linux

 

Wi-Fi Networking Links

TL-WR802N Router

Here is the official link to the TL-WR802N router that I purchased in November 2018.  Note that this router comes with a highly insecure default configuration.  With some simple cracking tools in Kali Linux, I was able to obtain its login name and password in under one minute…

https://www.tp-link.com/us/products/details/cat-5506_TL-WR802N.html

Nevertheless, Open-WRT and DD-WRT can be installed on it to provide a more secure system.

https://openwrt.org/toh/tp-link/tl-wr802n

https://wr802n.blogspot.com/2018/04/dd-wrt-install-on-tp-link-tl-wr802n.html


Secure Your Router’s Access (OpenWRT)

How to Make an ISO Copy of Your Hard Drive on Ubuntu

Portable Apps

 

 


General Links

Lock Down Wi-Fi with Wireless Isolation

Wi-Fi Security – WEP, WPA, and WPA2 (hakin9_wifi_EN.pdf)

CVE Details – The Ultimate Security Vulnerability Database

https://tools.tracemyip.org

 

 

IPTABLES Personal Firewall

Personal Firewall is a tidy little set of scripts for implementing a pretty tight firewall on a machine that is connecting to an open (or otherwise untrusted) network.  It is a set of scripts for allowing a minimal set of traffic (HTTP, DNS, DHCP, NTP, etc) immediately and then save the configuration to be persistent upon reboot.

Of course, add or delete services you do not need.  For example, do you need Skype?  If not, delete the Skype configuration from the script.

https://github.com/meetrp/personalfirewall

This link also contains a script to convert URLs to CIDR addresses.  For example, the script will identify the IP address ranges of an unwanted website so that you can block it with the Personal Firewall.

The Personal Firewall uses iptables.  So, it only works on a Linux machine.  However, it could be of use for a home router running a Linux based firmware build such as OpenWRT.