Posted: Wed Jan 05, 2022 23:50 Post subject: Where to store private SSH key in DD-WRT?
I would like to set up SSH PKA between my router and AP, both running dd-wrt. Where should the private key be stored?
I noticed there is /tmp/root/.ssh but I don't think it should go in /tmp.
Isn't this under the "Services" tab? You'd add the AP's key to the router's list of keys and vice versa?
Yes, for the public key. But what about the private key?
And as far as I know dd-wrt doesn't have public/private keys already generated for the router, so I'd have to generate them on my computer and transfer them over. But where to put the private key in dd-wrt? Normally in linux it would be somewhere like /home/user/.ssh/id_rsa
Where? There's a text box for the authorized public keys of devices connecting to the dd-wrt router, but I don't see anything indicating the dd-wrt router having it's own public or private keys for connecting with ssh from the dd-wrt router.
The ssh-keygen command is not even available in dd-wrt, so creating a public/private key pair needs to be done on another computer.
You pull the public key from when you first connect using password authentication, if I am not mistaken.
Yes, you're right! The keys already exist and the private key can be found with:
Code:
nvram get sshd_rsa_host_key
Though since the keys already exists, there is no need to do anything with the private key.
I don't know where the public key is on dd-wrt, but for now I looked in my computer's /home/[user]/.ssh/known_hosts file, got the router's/AP's public key, and entered it into Services -> Authorized Keys in the AP's/router's webui, respectively.
Also, dd-wrt uses dropbear ssh not openssh, so for eg no -v flag for verbose if troubleshooting. In dd-wrt, ssh doesn't automatically use the keys if not specified maybe because of the key locations. "ssh [router]" results in "ssh: Connection to root@router exited: No auth methods could be used.", so the connection is made with:
Code:
ssh -i /tmp/root/.ssh/ssh_host_rsa_key [router]
One last detail: before connecting, one must accept the fingerprint of the host, and that is stored /tmp/root/.ssh/known_hosts. I don't know if it is stored permanently somewhere else, otherwise it will not persist across reboots and the fingerprint will have to be accepted again. Not great for scripting. Might need a solution for that, or use the -y flag for "Always accept remote host key if unknown" though that doesn't sound ideal.
Also, dd-wrt uses dropbear ssh not openssh, so for eg no -v flag for verbose if troubleshooting. In dd-wrt, ssh doesn't automatically use the keys if not specified maybe because of the key locations. "ssh [router]" results in "ssh: Connection to root@router exited: No auth methods could be used."
Note FYI: bash or another shell (and many other packages) can be installed with entware/opkg
Note FYI: bash or another shell (and many other packages) can be installed with entware/opkg
I'm trying to keep things as uncomplicated and stock as possible, but thanks for that tip! I say I want to keep it simple and yet over time more and more features get enabled, so I'll keep this in mind.
Also, I tried scp with the -y flag but it doesn't work for some reason. As long as it's used interactively I can just hit 'y' myself for now to accept the fingerprint the first time after reboots.