-
Notifications
You must be signed in to change notification settings - Fork 17
openssh package
opkg update && opkg install openssh
Dependencies: ancistrus-core, zlib
Binaries included: sshd, ssh-keygen, scp
Config files: /usr/etc/sshd_config (sshd)
Encryption key files: stored permanently on /config/nvram/ssh
Recommended key signature system: ed25519 ( rsa support could be missed )
Moduli file: stored permanently on: /config/nvram/ssh , working on: /etc/moduli
GUI section: Management
Usage:
rc_ssh < start restart startforced restartforced stop fwup remoteup fwdown remotedown regenkeys regenauth regenmoduli zipkeys > (<debug>)
ssh_enable = 0|1 (0)
ssh_remote_enable = 0|1 (0)
ssh_remote_port = 1-65534 (?)
Unix: openssh-client (ssh @Debian)
Windows: putty 0.70+
IOS: Termius, Iterminal
This is the ssh daemon needed to establish secure console connection to the router.
According to the router login settings, the ssh connection username is always: root while password is the same of the web intf.
To activate it, first enable its setting typing:
nvram set ssh_enable=1
then run the ssh service typing:
rc ssh start
Stop the service with:
nvram set ssh_enable=0
rc ssh stop
(GUI Tick/Untick: Turn SSH Daemon On then Click: Apply).
The first time running rc_ssh start :
-
script will call included binary ssh-keygen creating the needed private & public encryption keys through router's builtin openssl tool;
-
create the authorized keys file and then store all them into nvram persistent partition settings dir (
/config/nvram/ssh): in this way keys will not be removed after rebooting or upgrading the firmware. -
in addition, moduli keyfiles can be generated for enhanced better security.
All the keys generated by ssh-keygen can be downloaded by host clients through included binary scp to establish a quicker and most secure login-less connection to the router.
For simplicity, assume D7000 as localhost in the following commands.
Install openssh package locally on machine.
cd ~/.ssh
scp root@D7000://config/nvram/ssh/D7000.*
chmod 600 D7000.*
echo "Host D7000" >> config
echo " Hostname 192.168.0.1" >> config
echo " IdentityFile ~/.ssh/D7000.ed25519" >> config
echo " User root" >> config
ssh-copy-id root@D7000
ssh-add ~/.ssh/D7000.ed25519
Connect to the router loginless typing:
ssh root@D7000
install Putty then follow this tutorial.
Mobile devices: for termius not needed because login infos can be stored anyway follow this tutorial.
Other machines: follow this tutorial.
To remotely access the router through ssh, first go to the web interface Remote Management page (GUI Click: Select Remote Access Type) and choose one of the Allow Remote Access By selection modes: single ip range ip list ip (fill the empty fields) or choose Everyone (default). Then Apply.
There's no need to activate the https remote service too.
Then setup the remote access tcp connection port with:
nvram set ssh_remote_port=xxxxx
with xxxxx usually a non common port between 1025-65535 : avoid choosing an already used port for forwarding/triggering services or https remote service.
GUI Type the remote port number on: SSH remote port number box .
Then enable the remote setting typing:
nvram set ssh_remote_enable=1
then type:
rc_ssh remoteup
disable remote ssh with:
nvram set ssh_remote_enable=0
rc_ssh remotedown
GUI Tick/Untick: Turn SSH Access Remote On then Click: Apply .
The config file includes many settings: for a further knowledge read the bsd tutorial .
Config file is located & stored in /usr/etc/sshd_config .
To make modifications, vi /usr/etc/sshd_config then save it and reload ssh with: rc_ssh start .
GUI Click: Modify SSH Daemon Config , edit text then Click: Save then Click: Apply .
The config file will be mantained unaltered also after package removal/upgrade.
The config file won't be mantained in case of firmware upgrade.
Type: rc_ssh regenkeys to renew/regenerate the keys (GUI Click: Keys Regeneration).
Type: rc_ssh zipkeys to create a zip file /tmp/ssh.zip containing keys ready to be downloaded locally with scp (GUI Click: Download Keys).
Type: rc_ssh regenauth to renew/regenerate the auth file.
Type: rc_ssh regenmoduli to renew/regenerate the moduli file: it takes a long time busying the router resources at about 50%: . Better to execute it while router is in an average low traffic state & usage. Alternatively, consider the possibility of generating it from an external host machine and then upload the moduli file generated on /config/nvram/ssh and /etc/