SSH key access to AR750S

Hi,

I want to harden the ssh security on my router. What is the most recommended way?

I currently have a password enabled to access ssh but I want to switch to an ssh key instead. Are there any instructions for the AR750? I can see in Luci a field to add a public key but can someone help me with some clear instructions specific to AR750S (openwrt) on how to generate the private/public key? If you can forward me to a documentation page that would be helpful as well.

Once this is done, I will disable password access and root login from Luci and possibly change the default port as well. Is it recommend to create a new user and add that user to sudo group?

FWIW, I will be accessing ssh from my iOS and Windows (SCP) clients.

Thank you in advance.

To create the keys you can follow this guide:

https://openwrt.org/docs/guide-user/security/dropbear.public-key.auth

To enable sudo you need to run a few commands directly in SSH:

Install sudo:

opkg update
opkg install sudo

Configure sudo:

sed -i 's/# %sudo.ALL=(ALL) ALL/%sudo ALL=(ALL) ALL/g' /etc/sudoers
sed -i 's/# Defaults targetpw/Defaults targetpw/g' /etc/sudoers
sed -i 's/# ALL ALL=(ALL) ALL/ALL ALL=(ALL) ALL/g' /etc/sudoers

Create your user:

echo "johnex:p:16666:0:99999:7:::" >> /etc/shadow
echo "johnex:x:1000:1000:johnex:/home/johnex:/bin/ash" >> /etc/passwd
passwd johnex

Create group:

echo "sudo:x:27:johnex" >> /etc/group
echo "johnex:x:1000:" >> /etc/group

Create home directory:

mkdir -p /home/johnex
chown johnex /home/johnex

Disable Root SSH access:

sed -i "s/option RootPasswordAuth 'on'/option RootPasswordAuth 'off'/g" /etc/config/dropbear
2 Likes

Some believe that OpenSSH is more robust than dropbear. OpenSSH can be installed as a package.

While OK to replace dropbear post-facto, don’t build firmware without dropbear in the ROM itself without making custom accommodation for running OpenSSH under failsafe.

Thanks. I just realized that I can maybe use my wireguard server instead and that would be secured enough? In that case how can I whitelist just that IP for SSH access and deny everything else? Thanks.

@Johnex This helped resolve my issue. Thank you.

-Generated ssh keys
-I have removed SSH password authentication altogether.
-I have disabled root login with password.
-Changed the port :slight_smile:

I created a new user as well but I am just using root with ssh keys for now. If I want to login with the new user, I need to copy the keys to his home directory /home/.ssh/ am I correct?

Also your last line “Disable Root SSH access” disables root access to SSH with a password. am I correct?

PS. Is there a good script for our AR750S against brute attack? How do you cope with an ever growing log file?

Thanks for your help.

syslog-ng and logrotate – unless you haven’t enabled file-based logging, in which case it’s a ring buffer. It just rolls.

Yes, it only disables Root login completely.
To disable all password logins you can do this as well:

sed -i "s/option PasswordAuth 'on'/option PasswordAuth 'off'/g" /etc/config/dropbear

You should do that yes, place the ssh keys in the user home directory /home/<user>/.ssh/

I actually did that from Luci i.e. removed password auth and root login with password. Same thing right?

FWIW, it doesn’t look like dropbear supports ed25519 keys (edit: or at least didn’t support my OpenSSL-generated one)

Personally, I’d not enable ALL ALL=(ALL) ALL but always require a password for use of sudo. Though this may be related to the suggestion around targetpw (which I don’t use on my non-OpenWrt boxes, as I need to take actions as a user without a login, such as www).

Well i just suggested that since its the default for Ubuntu. If it’s a good default setting for Ubuntu then its good enough for me too :stuck_out_tongue:

For the even more security minded there would be multiple users for different things, with chroot jail for each.