SSH Access to OpenWRT without a Password

OpenWRT is an open source router firmware that can be installed on most consumer WiFi routers for increased security, functionality, and performance.

One way to configure OpenWRT is through a web interface.  The other, more powerful, way to configure it is through SSH.  OpenWRT comes with dropbear for SSH.  Dropbear is a optimized, reduced functionality, SSH server.  So, the typical methodology of creating public/private key pairs for authentication does not always work.  Here is what I have found to work:

  1. Assume that the OpenWRT router has an assigned IP address of 192.168.1.1
  2. In Cygwin, or in a Linux terminal, run the following commands:
    • ssh-keygen
    • ssh-copy-id -i root@192.168.1.1

The first command creates a 2048 RSA key, which is the strength recommended by NIST for RSA.  To login without a password, just choose the defaults by pressing enter at each prompt.  The second command copies the public key to the OpenWRT router.  Now, log in to the OpenWRT router with SSH:

ssh root@192.168.1.1

You will be prompted for a password.  Use the password that you set up for the OpenWRT web interface.

Once logged into the router, execute the following command:

cp /root/.ssh/authorized_keys /etc/dropbear/authorized_keys

This will copy the public key to the location expected by dropbear.  This has to be done because ssh-keygen puts the key in the directory expected by openssh, not dropbear.

Now, exit from the router:

exit

Back that the Cygwin or Linux terminal, try logging into the OpenWRT router again with SSH:

ssh root@192.168.1.1

This time, you should be able to get in without a password.

Finally, use the OpenWRT GUI (under System->Administration) to turn off SSH password authentication and disallow the root user to login with a password.  Test to verify password authentication is turned off by typing the following in Cygwin or a Linux terminal:

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no root@192.168.1.1

You should get an error that says root@192.168.1.1: Permission denied (publickey).

Two things to note:

  1. Unfortunately, OpenWRT makes it difficult to create anything but a root user.  There are ways to do so, however.  Google it.
  2. I tried generating RSA keys larger than 2048 bits.  However, they did not seem to work with dropbear.

Leave a Reply

Your email address will not be published. Required fields are marked *