[ Intro ] - [ OpenSSH Client ] - [OpenSSH on OpenWRT] - [ Generate Keys ] - [ Bastion ] - [ Hardening ]
By default OpenWRT comes installed with a lite SSH server called dropbear. However if we want to use more advanced features like FIDO/U2F, we will need the heavier & full featured OpenSSH. Don't worry, if you're running a modern OpenWRT enabled router you'll be just fine!
Lets start with changing the default listening port of dropbear from port 22 to 2222. That way we can make sure our OpenWRT public key authentication works before we remove our password based authentication.
SSH into your router.
User@Desktop ~ $ SSH root@192.168.84.1
root@OpenWrt:~# opkg update
...
root@OpenWrt:~# opkg install nano
...
root@OpenWrt:~# nano /etc/config/dropbear
Change option port '22' to option port '2222'. Save (CTRL+O,ENTER) and Exit (CTRL+X). Restart dropbear and exit ssh session:
root@OpenWrt:~# /etc/init.d/dropbear restart
root@OpenWrt:~# exit
Connection to 192.168.84.1 closed.
User@DESKTOP ~ $
Relogin using password authentication and the new port to verify dropbear still works:
User@Desktop ~ $ ssh root@192.168.84.1 -p 2222
root@OpenWrt:~#
Lets search to see what versions are avialble with our default package repository:
root@OpenWrt:~# opkg list | grep openssh
What versions do you see? As of writing, Version 8.0. Not good enough! We need at minimum version 8.1 to support interactive ed25519-sk signature types! Fortunately someone has been compiling newer software versions for the Linksys WRT line, check out Davidc502 OpenWrt snapshots. Specifically, the website owner has a repository at https://dc502wrt.org/snapshots/. Click on the latest release (r13342 as of writing)->(packages)->(arm_cortex-a9_vfpv3-d16)->(Packages). Scroll down to the openssh packages. Looks like version 8.2 compiled for our hardware, excellent! Copy the URL and paste using the curl -O command and install:
root@OpenWrt:~# curl -O https://dc502wrt.org/snapshots/r13342/packages/arm_cortex-a9_vfpv3-d16/packages/openssh
-server_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk
root@OpenWrt:~# opkg install openssh-server_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk
root@OpenWrt:~# rm openssh-server_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk
root@OpenWrt:~# nano /etc/ssh/sshd_config
Change & add the following lines to below:
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey
Save (CTRL+O, ENTER) and Exit (CTRL+X). Now enable and start the OpenSSH server
root@OpenWrt:~# /etc/init.d/sshd enable
root@OpenWrt:~# /etc/init.d/sshd start
root@OpenWrt:~# sshd -v
OpenSSH_8.2p1, OpenSSL 1.1.1g 21 Apr 2020
Success!
Now lets create the ~/.ssh folder which will hold our public keys and set permissions. You can view file permissions of a directory with the ls -la command:
root@OpenWrt:~# mkdir ~/.ssh
root@OpenWrt:~# touch ~/.ssh/authorized_keys
root@OpenWrt:~# chmod 700 ~/.ssh
root@OpenWrt:~# chmod 600 ~/.ssh/*
root@OpenWrt:~# ls -la ~/.ssh
Since it is our goal to use our router as a SSH bastion, we will install the OpenSSH client on OpenWRT so that we must authenticate on our OpenWRT bastion before making further connections to our servers such as FreeNAS / TrueNAS.
root@OpenWrt:~# curl -O https://dc502wrt.org/snapshots/r13342/packages/arm_cortex-a9_vfpv3-d16/packages/openssh-client_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk
root@OpenWrt:~# opkg install openssh-client_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk
root@OpenWrt:~# rm openssh-client_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk
Verify our ssh client works by attempting a password authentication to our FreeNAS server (replace 192.168.84.85 with your freenas server local IP address):
root@OpenWrt:~# ssh root@192.168.84.85
Password:
root@Freenas:~# exit
root@OpenWrt:~# exit
User@Desktop ~ $
^Insert Inception meme here!
Next: [ Generate Keys ] >>