Where to store private SSH key in DD-WRT?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Wed Jan 05, 2022 23:50    Post subject: Where to store private SSH key in DD-WRT? Reply with quote
I would like to set up SSH PKA between my router and AP, both running dd-wrt. Where should the private key be stored?
I noticed there is /tmp/root/.ssh but I don't think it should go in /tmp.
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12969
Location: Texas, USA

PostPosted: Thu Jan 06, 2022 3:03    Post subject: Reply with quote
Isn't this under the "Services" tab? You'd add the AP's key to the router's list of keys and vice versa?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Thu Jan 06, 2022 3:09    Post subject: Reply with quote
kernel-panic69 wrote:
Isn't this under the "Services" tab? You'd add the AP's key to the router's list of keys and vice versa?


Yes, for the public key. But what about the private key?

And as far as I know dd-wrt doesn't have public/private keys already generated for the router, so I'd have to generate them on my computer and transfer them over. But where to put the private key in dd-wrt? Normally in linux it would be somewhere like /home/user/.ssh/id_rsa
adanbmx
DD-WRT Novice


Joined: 02 Jul 2016
Posts: 1

PostPosted: Thu Jan 06, 2022 4:57    Post subject: Reply with quote
Look in the Services" tab
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Thu Jan 06, 2022 5:17    Post subject: Reply with quote
adanbmx wrote:
Look in the Services" tab


Where? There's a text box for the authorized public keys of devices connecting to the dd-wrt router, but I don't see anything indicating the dd-wrt router having it's own public or private keys for connecting with ssh from the dd-wrt router.

The ssh-keygen command is not even available in dd-wrt, so creating a public/private key pair needs to be done on another computer.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12969
Location: Texas, USA

PostPosted: Thu Jan 06, 2022 6:08    Post subject: Reply with quote
Silly us. The key is already saved:
Code:
root@TL-WR1043NDv2:~# nvram show | grep sshd_rsa_host_key
sshd_rsa_host_key=-----BEGIN RSA PRIVATE KEY-----
root@TL-WR1043NDv2:~#

You pull the public key from when you first connect using password authentication, if I am not mistaken.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Thu Jan 06, 2022 7:14    Post subject: Reply with quote
kernel-panic69 wrote:
Silly us. The key is already saved:
Code:
root@TL-WR1043NDv2:~# nvram show | grep sshd_rsa_host_key
sshd_rsa_host_key=-----BEGIN RSA PRIVATE KEY-----
root@TL-WR1043NDv2:~#

You pull the public key from when you first connect using password authentication, if I am not mistaken.


Yes, you're right! The keys already exist and the private key can be found with:

Code:
nvram get sshd_rsa_host_key


Though since the keys already exists, there is no need to do anything with the private key.

I don't know where the public key is on dd-wrt, but for now I looked in my computer's /home/[user]/.ssh/known_hosts file, got the router's/AP's public key, and entered it into Services -> Authorized Keys in the AP's/router's webui, respectively.

Also, dd-wrt uses dropbear ssh not openssh, so for eg no -v flag for verbose if troubleshooting. In dd-wrt, ssh doesn't automatically use the keys if not specified maybe because of the key locations. "ssh [router]" results in "ssh: Connection to root@router exited: No auth methods could be used.", so the connection is made with:

Code:
ssh -i /tmp/root/.ssh/ssh_host_rsa_key [router]


One last detail: before connecting, one must accept the fingerprint of the host, and that is stored /tmp/root/.ssh/known_hosts. I don't know if it is stored permanently somewhere else, otherwise it will not persist across reboots and the fingerprint will have to be accepted again. Not great for scripting. Might need a solution for that, or use the -y flag for "Always accept remote host key if unknown" though that doesn't sound ideal.
MesMurized
DD-WRT User


Joined: 08 Aug 2017
Posts: 59

PostPosted: Sat Jan 08, 2022 3:11    Post subject: Reply with quote
fizikz wrote:
Also, dd-wrt uses dropbear ssh not openssh, so for eg no -v flag for verbose if troubleshooting. In dd-wrt, ssh doesn't automatically use the keys if not specified maybe because of the key locations. "ssh [router]" results in "ssh: Connection to root@router exited: No auth methods could be used."

Note FYI: bash or another shell (and many other packages) can be installed with entware/opkg
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 219

PostPosted: Sat Jan 08, 2022 3:43    Post subject: Reply with quote
MesMurized wrote:
Note FYI: bash or another shell (and many other packages) can be installed with entware/opkg

I'm trying to keep things as uncomplicated and stock as possible, but thanks for that tip! I say I want to keep it simple and yet over time more and more features get enabled, so I'll keep this in mind.

Also, I tried scp with the -y flag but it doesn't work for some reason. As long as it's used interactively I can just hit 'y' myself for now to accept the fingerprint the first time after reboots.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum