SSH key access to AR750S

Hi,

I want to harden the ssh security on my router. What is the most recommended way?

I currently have a password enabled to access ssh but I want to switch to an ssh key instead. Are there any instructions for the AR750? I can see in Luci a field to add a public key but can someone help me with some clear instructions specific to AR750S (openwrt) on how to generate the private/public key? If you can forward me to a documentation page that would be helpful as well.

Once this is done, I will disable password access and root login from Luci and possibly change the default port as well. Is it recommend to create a new user and add that user to sudo group?

FWIW, I will be accessing ssh from my iOS and Windows (SCP) clients.

Thank you in advance.

To create the keys you can follow this guide:

To enable sudo you need to run a few commands directly in SSH:

Install sudo:

opkg update
opkg install sudo

Configure sudo:

sed -i 's/# %sudo.ALL=(ALL) ALL/%sudo ALL=(ALL) ALL/g' /etc/sudoers
sed -i 's/# Defaults targetpw/Defaults targetpw/g' /etc/sudoers
sed -i 's/# ALL ALL=(ALL) ALL/ALL ALL=(ALL) ALL/g' /etc/sudoers

Create your user:

echo "johnex:p:16666:0:99999:7:::" >> /etc/shadow
echo "johnex:x:1000:1000:johnex:/home/johnex:/bin/ash" >> /etc/passwd
passwd johnex

Create group:

echo "sudo:x:27:johnex" >> /etc/group
echo "johnex:x:1000:" >> /etc/group

Create home directory:

mkdir -p /home/johnex
chown johnex /home/johnex

Disable Root SSH access:

sed -i "s/option RootPasswordAuth 'on'/option RootPasswordAuth 'off'/g" /etc/config/dropbear

Some believe that OpenSSH is more robust than dropbear. OpenSSH can be installed as a package.

While OK to replace dropbear post-facto, don’t build firmware without dropbear in the ROM itself without making custom accommodation for running OpenSSH under failsafe.

Thanks. I just realized that I can maybe use my wireguard server instead and that would be secured enough? In that case how can I whitelist just that IP for SSH access and deny everything else? Thanks.

@Johnex This helped resolve my issue. Thank you.

-Generated ssh keys
-I have removed SSH password authentication altogether.
-I have disabled root login with password.
-Changed the port

I created a new user as well but I am just using root with ssh keys for now. If I want to login with the new user, I need to copy the keys to his home directory /home/.ssh/ am I correct?

Also your last line “Disable Root SSH access” disables root access to SSH with a password. am I correct?

PS. Is there a good script for our AR750S against brute attack? How do you cope with an ever growing log file?

Thanks for your help.

syslog-ng and logrotate – unless you haven’t enabled file-based logging, in which case it’s a ring buffer. It just rolls.

Yes, it only disables Root login completely.
To disable all password logins you can do this as well:

sed -i "s/option PasswordAuth 'on'/option PasswordAuth 'off'/g" /etc/config/dropbear

You should do that yes, place the ssh keys in the user home directory /home/<user>/.ssh/

I actually did that from Luci i.e. removed password auth and root login with password. Same thing right?

FWIW, it doesn’t look like dropbear supports ed25519 keys (edit: or at least didn’t support my OpenSSL-generated one)

Personally, I’d not enable ALL ALL=(ALL) ALL but always require a password for use of sudo. Though this may be related to the suggestion around targetpw (which I don’t use on my non-OpenWrt boxes, as I need to take actions as a user without a login, such as www).

Well i just suggested that since its the default for Ubuntu. If it’s a good default setting for Ubuntu then its good enough for me too

For the even more security minded there would be multiple users for different things, with chroot jail for each.