I want to harden the ssh security on my router. What is the most recommended way?
I currently have a password enabled to access ssh but I want to switch to an ssh key instead. Are there any instructions for the AR750? I can see in Luci a field to add a public key but can someone help me with some clear instructions specific to AR750S (openwrt) on how to generate the private/public key? If you can forward me to a documentation page that would be helpful as well.
Once this is done, I will disable password access and root login from Luci and possibly change the default port as well. Is it recommend to create a new user and add that user to sudo group?
FWIW, I will be accessing ssh from my iOS and Windows (SCP) clients.
Thanks. I just realized that I can maybe use my wireguard server instead and that would be secured enough? In that case how can I whitelist just that IP for SSH access and deny everything else? Thanks.
FWIW, it doesn’t look like dropbear supports ed25519 keys (edit: or at least didn’t support my OpenSSL-generated one)
Personally, I’d not enable ALL ALL=(ALL) ALL but always require a password for use of sudo. Though this may be related to the suggestion around targetpw (which I don’t use on my non-OpenWrt boxes, as I need to take actions as a user without a login, such as www).