PDA

Bekijk de volledige versie : Dropbear SSH server with key authentication



Muffe
25-05-2005, 21:14
I have a WL-500g with 1.9.2.7-5a firmware. I Use the built-in dropbear SSH server to SCP images from the router to my dedicated server. The SCP command is run form my server, and not from the router.

My problem is that the SCP command is run automatically by a cron-job, and the SCP command requires a password. I have read quite a lot on the internet, and found out that i need to authenticate the machines via no-password keys placed in the authorized_keys file on the server (the WL-500g).

How do I do that on WL-500g? Do dropbear and OpenSSH use the same keys (don't think so..), and how do I convert/create them? And where shall i place the authorized_keys file, and how does it look like on a dropbear server?

I hope that someone will help me.
Thanks.

a1bert
25-05-2005, 22:30
How do I do that on WL-500g? Do dropbear and OpenSSH use the same keys (don't think so..), and how do I convert/create them? And where shall i place the authorized_keys file, and how does it look like on a dropbear server?

I hope that someone will help me.
Thanks.


just put your public ssh2 key to ~/.ssh/authorized_keys and check permissions (writable only by owner, owner = user).

since dropbear is only SSHv2 client/server use only SSHv2 and remember that keys are NOT checked against .ssh/authorized_keys2 file...

Muffe
26-05-2005, 10:34
I have now placed my ssh_jost_rsa_key.pub from my dedicated server in the ~/.ssh/authorized_keys file on my WL-500g. But it still does not work. I still have to type in the pasword.

I read some place in the dropbear README that I had to convert the key to a dropbear key fomat frst... Does anyone know something about this, or any other issues with passwordless authentication? The whole clue is that I can't use passwords...

Thanks.

barsju
26-05-2005, 10:59
Is you key in the format:
ssh-rsa <key> admin@myrouter

I had to edit my generated key to look like that.. And make sure it is on one line..

S.

zkar
26-05-2005, 13:07
The authentication with openssh and dropbear works. Editing the key was not needed.

Be sure you check following things:

private key on client
user@client:$ ls -l $HOME/.ssh/id_rsa
should result in this permissions and this filename
-rw------- 1 user group 1743 2004-09-26 13:23 /home/user/.ssh/id_rsa

public key on router
admin@router:$ ls -l $HOME/.ssh/authorized_keys
should result in this permissions and this filename
-rw------- 1 admin root 389 2004-09-26 13:23 /usr/local/root/.ssh/authorized_keys

each dir $HOME/.ssh should have the permissions 0700

try to connect from the server to the client with ssh -vv and read the long output. It helps

RoofCat
26-05-2005, 17:24
Another description
how it works for me:



[admin@router root]$
[admin@router root]$ cd .ssh
[admin@router .ssh]$ ls
authorized_keys identity known_hosts
more authorized_keys
ssh-rsa Really-Long-String_goes_here_ended_with= My_Login@remote.host.in.the.net
[admin@router .ssh]$
where really long string is public_key. The whole string was taken (in my case) from .ssh directory on host.in.the.net machine


host.in.the.net% cd
host.in.the.net% cd .ssh
host.in.the.net% ls id_rsa.pub
id_rsa.pub
park-11% more id_rsa.pub
ssh-rsa Really-Long-String_goes_here_ended_with= ab@park-11.park.rambler.ru
host.in.the.net%
After that scp from Host.in.the.net works like that


host.in.the.net% cd
host.in.the.net% scp admin@router:index.html ./
socket: Protocol not supported
index.html 100% |*****************************| 0 00:00
FW Olegs 1927CR4, Asus WL-500g.

Few notes
a) I do not know (and don't really care :)) what "socket: Protocol not supported" warning means. It was there always and it worked.

b) In my case actual scp stringis a bit different since my router is behind providers' NAT and I had to establish port fowarding at host.in.the.net.

c) As far as I know host.in.the.net has OpenSSH, and file name for rsa_id.pub may be different in other setups. I beleive it is default but you never know admins.

d) As far as I know ssh-rsa is protocol identifier, and last field My_Login@... is just a comment for user's comfort.

e) Always check that whole_long line is one line and is not wrapped using copy-paste (if you don't use method described below).

Step by step guide may looks like this:

1) check on your router that ssh installed, enabled and works (that means that you can ssh router_ip and log in with password) Also check that there is .shh directory in /usr/local/root/

2) On Host.in.the.net locate ~/.ssh directory and file rsa_id.pub in it. (subdir name and file name may vary)

3) execute following on host.in.the.net


scp ~/.ssh/rsa_id.pub admin@router.ip:.ssh/pubkey.host.in.the.net
Password:
In response to Password prompt enter your admin password on router.

4) ssh to your router and check that pubkey.host.in.the.net exists in /usr/local/root/.ssh

5)execute on your router:

cat /usr/local/root/.ssh/pubkey.host.in.the.net >> /usr/local/root/.ssh/authorized_keysNote two >> in command line (not to overwrite previously added public keys) and spelling of authorized_keys.

6) check if it works by executing ssh admin@router.ip from Host.in.the.net. Normally it should allow to login as admin without prompting for password.

7) If 6) is true, than flashfs save, flashfs commit, flasfs enable your router as usual.

Hope it helps.

So it goes,
Roofcat

dwienie
19-02-2006, 16:37
I tried to connect with putty by using a public key. But I couldn't get it to work. Is there someone here who was able to connect with putty using a public key. I used the program puttygen to generate a pair of keys but dropbear doesn't understand the key.
I also tried to generate a key with dropbear on the asus, but then putty doens't recognise the key.

Any help should be welcome.