Dropbear

Installing Dropbear

  1. Telnet into the router to get a command prompt - see Getting command line access).
  2. Type the following command:
ipkg update
ipkg install dropbear

Dropbear will listen on port 2222 by default & will accept the "admin" username and password, so you'll need to connect with something like:

ssh admin@router.asus.com -p 2222

or the equivalent on PuTTY or whatever SSH client you are using. If you want to change this (e.g. back to the default of 22) edit the /opt/etc/default/dropbear file.

Public key authorisation

It is possible to login using a public/private key-pair rather than passwords, e.g. following http://wiki.openwrt.org/oldwiki/dropbearpublickeyauthenticationhowto. After some unknown errors, I finally got it working by:

  1. Saving my public key in an "authorized_keys" file inside /opt/etc/dropbear. Note that other guides recommend putting this in my home dir's .ssh directory, but this is on the temporary file system so gets dropped every boot.
  2. Add the following file as /opt/etc/init.d/S15custom (remember to chmod a+x it) to copy the file across after every reboot:
#!/bin/sh

# Customisation of tmpfs based files

mkdir -p /root/.ssh
cp /opt/etc/dropbear/authorized_keys /root/.ssh
chmod 0600 /root/.ssh/authorized_keys
chmod 0700 /root/.ssh

Making visible from the outside

The SSH server is only visible internally - not from the Internet side. You could enable this by adding a firewall exception, e.g. by adding something like

iptables -I INPUT -p tcp --dport 2222 -j ACCEPT

to the /opt/etc/init.d/S51dropbear script.

HOWEVER I'd recommend against this as the dropbear package in the Optware repo is not that recent, and probably won't be kept up to date with security patches - so it's best to minimise your attack surface by not exposing it. Maybe use the virtual server route to allow an internal Linux server (with good security updates and fail2ban or similar running) to expose its SSH server instead.

OpenSSH

I first tried installing OpenSSH Server, but it wouldn't let me log in - I suspect something about the user account for admin not being correctly set up (e.g. the duplicated entry in /etc/passwd).

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License