Paswordless public key-based SSH login on router with Asus Merlin firmware

0

I'm trying to enable passwordless SSH login on my ASUS RT-AC68U home router which runs version 384.4_2 of Asuswrt-Merlin firmware (the most recent one at the time of posting this). Having read many posts and howtos (including this one), I still can't get it working.

I use PUTTYGEN to generate a pair of RSA-2048 keys, save the public key at ~/.ssh/authorized_keys on the router, then try to connect with PUTTY, which I've limited to RSA only. As PUTTY negotiates the session encryption, it prompts to accept the public key provided by the server. I expect it to be my key from ~/.ssh/authorized_keys but instead I'm always seeing the dropbear's own public key (from /etc/dropbear/dropbear_rsa_host_key). I know it's that one by running dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key.

The permission for ~/.ssh folder is set to 700, for ~/.ssh/authorized_keys to 600. The key is saved via the router's Web UI in the correct format (i.e., ssh-rsa AAAA...5iYw== rsa-key-20180401, no line breaks). I tried both root and admin as the SSH user. I also tried everything from scratch, after resetting the router to the factory settings, with the same result.

Is there anything I'm missing? At this point, I think my only option would be to extract the dropbear's private key from /etc/dropbear/dropbear_rsa_host_key and use it instead of generating my own.

noseratio

Posted 2018-03-31T23:43:45.050

Reputation: 465

Extracting drop ears private key won't help. Have you considered flashing kong dd-wrt. Adding your public keys via the web interface is trivial with that. – davidgo – 2018-04-01T00:05:41.083

@davidgo, I haven't tried dd-wrt, but i did try extracting dropbear's private key and use it with putty and it actually works. Just not happy that the private key lives in the router itself. – noseratio – 2018-04-01T02:12:36.837

Answers

1

Put your public key in /etc/dropbear/authorized_keys

edit:

I originally thought dropbear was not reading ~/.ssh even though it should, so i pointed the default directory /etc/dropbear/. authorized_keys is not there by default so it isn't so obvious.

rereading the question i realized you were confusing host keypairs with login keypairs.

you need to accept the routers host keypair (/etc/dropbear/dropbear_rsa_host_key) and place your public key on the router in either location' authorized_keys file and you should be good to go.

Timmy Browne

Posted 2018-03-31T23:43:45.050

Reputation: 430

1re reading your question it looks like you are not accepting the dropbear servers host key. Is that correct? your login keypair is different from the host keypair. Unless I'm still misunderstanding, you should accept the host public key, and login without a password via your public key on the host as an authorized_key. – Timmy Browne – 2018-04-01T22:02:38.947

that was it, thank you! Previously the host public key was cached by putty, I guess I once accepted and saved it. Then I forgot it's a legit part of the authentication sequence and rather was expecting my key in the first place there. Now feel pretty stupid :) If you edit your answer and include your comment, I'd be happy to accept it. – noseratio – 2018-04-02T00:45:27.527

1awesome. glad i could help. don't feel dumb, i do stuff like this to myself everyday, its always obvious when someone else is doing it :D – Timmy Browne – 2018-04-02T01:10:27.363

Asked: 2018-03-31T23:43:45.050

Viewed: 2 879 times

Active: 2018-04-02T01:09:53.580