OpenWRT is an open source router firmware that can be installed on most consumer WiFi routers for increased security, functionality, and performance.
One way to configure OpenWRT is through a web interface. The other, more powerful, way to configure it is through SSH. OpenWRT comes with dropbear for SSH. Dropbear is a optimized, reduced functionality, SSH server. So, the typical methodology of creating public/private key pairs for authentication does not always work. Here is what I have found to work:
- Assume that the OpenWRT router has an assigned IP address of 192.168.1.1
- In Cygwin, or in a Linux terminal, run the following commands:
- ssh-copy-id -i email@example.com
The first command creates a 2048 RSA key, which is the strength recommended by NIST for RSA. To login without a password, just choose the defaults by pressing enter at each prompt. The second command copies the public key to the OpenWRT router. Now, log in to the OpenWRT router with SSH:
You will be prompted for a password. Use the password that you set up for the OpenWRT web interface.
Once logged into the router, execute the following command:
cp /root/.ssh/authorized_keys /etc/dropbear/authorized_keys
This will copy the public key to the location expected by dropbear. This has to be done because ssh-keygen puts the key in the directory expected by openssh, not dropbear.
Now, exit from the router:
Back that the Cygwin or Linux terminal, try logging into the OpenWRT router again with SSH:
This time, you should be able to get in without a password.
Finally, use the OpenWRT GUI (under System->Administration) to turn off SSH password authentication and disallow the root user to login with a password. Test to verify password authentication is turned off by typing the following in Cygwin or a Linux terminal:
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no firstname.lastname@example.org
You should get an error that says email@example.com: Permission denied (publickey).
Two things to note:
- Unfortunately, OpenWRT makes it difficult to create anything but a root user. There are ways to do so, however. Google it.
- I tried generating RSA keys larger than 2048 bits. However, they did not seem to work with dropbear.