SSH key authentication

Technical Support for Routers
1

Related to this

How to disable password authentication and add key authentication?

2

You can add your public keys by going to:
System > Advanced settings > click on the link for LuCI, log in as root and use the same password you normally use to log into the router.
Once you’re logged-into LuCI, go to System > Administration > SSH-Keys . Then, paste your public key into the text box and click the Add key button.

Before disabling root password access, test that you can successfully SSH into your router.

To disable root SSH access via password, log into LuCI again and go to System > Administration > SSH Access . Then, uncheck the “Allow root logins with password” checkbox. (note: you can still log into the GL.iNet GUI or LuCI using your root password.)

I could add some rambling warning about using RSA-based keys (please just use ed25519), and some more rambling about having issues rsync-ing to dropbear over high-latency connections (if you have issues, install ssh-server) - but I’ll leave those for later if you have more questions.

3

There is no link. It is prompted to install LuCi

You mean EC (elliptic curve)? Or exactly this:

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N "your passphrase"

I use SFTP only, I hope it won’t cause issues with Dropbear package

Why?

You are about this one?:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -N "your passphrase"
4

*sigh* no LuCI? We’ll have to do this through SSH…

  1. ssh into your router

  2. If you’re not comfortable/familiar editing using vi (i.e. vim), then install nano:
    # opkg update
    # opkg install nano

  3. edit (create if necessary) /etc/dropbear/authorized_keys
    # vi /etc/dropbear/authorized_keys
    -OR-
    # nano /etc/dropbear/authorized_keys

  4. Paste in your public key(s), one per row. Save/exit the editor.

  5. TEST your login - ssh in again and ensure that there is no issue with your key. Don’t proceed with step 6 if you can’t login (i.e. if you’re prompted for a password) - go back and check that eveyrthing is setup correctly on the router and your client computer.

  6. Edit the dropbear configuration /etc/config/dropbear
    vi /etc/config/dropbear
    -OR-
    nano /etc/config/dropbear

  7. Change the option RootPasswordAuth 'on' line to option RootPasswordAuth 'off'

  8. Change the option PasswordAuth 'on' line to option PasswordAuth 'off'

  9. Save/exit the editor

  10. Reboot the router
    # reboot

Please don’t use RSA keys, they will be deprecated soon: OpenSSH to deprecate SHA-1 logins due to security risk | ZDNET

And yes, ssh-keygen -t ed25519 [+ your choice of options] will work.

1 Like
5

IMG_3139

Just click “install”

2 Likes