Hi
Can you please add to your new firmware enable and disable SSH access switch?
This feature for example already present in DDWrt and some routers.
@alzhao can you please take a look? (I am pinging right person?)
Hello,
We will not consider adding toggle access control to SSH in the firmware function for the time being. Sorry.
Since this operation is easy for some user to accidentally slide toggle (misoperation), increasing the difficulty of debugging.
You can make some custom modifications to the toggle script (/etc/rc.button/switch), for example, when toggle slides to on, reject port 22.
Can you explain this in details?
Or maybe there is another solution if I don't need SSH for a long time? Like editing something?
There are some articles in this forum.
Every article starts with "are you sure?" For a reason.
If you 100% understand what you are doing, you don't want ssh disabled. If you understand what you are doing, but corporate compliance force you, the only needed information is: the ssh service is provided by the package/application dropbear.
But as you still will think it is a good idea, see for example: How to disable (temporary!) SSH?
Try to keep up to date backups from your settings, as you will need a full reset, if the Admin Panel fails.
There are security issues within the SSH, yes. But as far as the will be published, shortly afterwards a patch is provided. A fully normal process.
The only issue SSH could not secure is insecure credentials. This one is in your hands.
Yes. It will be really easy to add. Plus when I need it, I will just toggle it on, if not needed-toggle off.
Plus I don't really like sending ROOT (!) shell (even in LAN) as it can be a possibility for attack vector.
And pls add some script to automatically regenerate HTTPS certs for admin panel after they will run of time. It is needed if product will be EOL, but certs will be new.
For example something like this (found somewhere):
Script
#!/bin/sh
# Configuration
CERT_DIR="/etc/ssl/certs" # Directory to store the certificate
KEY_DIR="/etc/ssl/private" # Directory to store the private key
CERT_FILE="$CERT_DIR/selfsigned.crt"
KEY_FILE="$KEY_DIR/selfsigned.key"
EXPIRY_THRESHOLD=30 # Days before expiration to renew
# Check if the certificate exists
if [ ! -f "$CERT_FILE" ]; then
echo "Certificate not found. Generating a new one."
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout "$KEY_FILE" -out "$CERT_FILE" -subj "/CN=yourdomain.com"
exit 0
fi
# Get the expiration date of the certificate
EXPIRY_DATE=$(openssl x509 -in "$CERT_FILE" -noout -enddate | cut -d= -f2)
EXPIRY_TIMESTAMP=$(date -d "$EXPIRY_DATE" +%s)
CURRENT_TIMESTAMP=$(date +%s)
# Calculate the number of days until expiration
DAYS_UNTIL_EXPIRY=$(( (EXPIRY_TIMESTAMP - CURRENT_TIMESTAMP) / 86400 ))
# Check if the certificate is about to expire
if [ "$DAYS_UNTIL_EXPIRY" -le "$EXPIRY_THRESHOLD" ]; then
echo "Certificate is expiring in $DAYS_UNTIL_EXPIRY days. Generating a new one..."
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout "$KEY_FILE" -out "$CERT_FILE" -subj "/CN=yourdomain.com"
else
echo "Certificate is valid for $DAYS_UNTIL_EXPIRY more days."
fi
Also @alzhao please take a look on this thread. I created new, not to flood off topic here.
Cert will be regenerated on reset of device (and I guess during firmware upgrade without keeping settings)
Unfortunately OpenWrt actually only have one user: root.
That's why I wanna hide shell. Using shell you can make endless malicious actions
OpenSSH is one of the most secure products the Linux world offers.
If you are scared about having SSH open, you should disable everything on your router. SSH is waaaaay more secure than any web UI. Just make sure to use really long passwords or public key.