HOW-TO: use keys with dropbear for a more secure box (using PuTTy)

[n00ben]

'ello

first of all you should have dropbear installed...

create a public and private key (I used PuTTYgen) just press 'Generate'

save the private key somewhere, you will use this file each time you login,
create a dir in your home directory on your router:

mkdir .ssh
cd .ssh

next you need to copy the public key (with ctrl+c) from puttygen, the big string in the textfield (all of it).
in .ssh/ type:

echo ssh-rsa AAAAB3N......8nq97Rcl5D= rsa-key-20061230 > authorized_keys
(echo 'what you copied from puttygen here without the quotes' > authorized_keys

your string will be longer, I've just omited a large part.
this will create a 'authorized_keys' file.

now add '-s' to your rc.local and your init.d file so they read '/opt/sbin/dropbear -s' this will disable ordinary password logins.

Reboot your router.

Now in Putty, go to settings->Connection->SSH->Auth here browse to your private key you saved with puttygen.

now when you login, you need to have the key and the passphrase for that key (you specified passphrase in puttygen)

you now efficiently stopped any kind of bruteforce attacks

/regards
Henrik

[Fatboysec]

What do you mean with home directory? What's the best place to store the key on the router?

[n00ben]

What do you mean with home directory? What's the best place to store the key on the router?

look in /etc/passwd the directory after the last ':' is your home dir, and if you followed K.C's guide it should be '/opt/home/<username>' (step 5.6)

/regards
Henrik

[wengi]

Maybe some improvement for noobs:

save the private key somewhere, you will use this file each time you login,
create a dir in your home directory on your router:

mkdir .ssh
cd .ssh

You can go to home by typing "cd ~"

next you need to copy the public key (with ctrl+c) from puttygen, the big string in the textfield (all of it).
in .ssh/ type:

echo ssh-rsa AAAAB3N......8nq97Rcl5D= rsa-key-20061230 > authorized_keys
(echo 'what you copied from puttygen here without the quotes' > authorized_keys

your string will be longer, I've just omited a large part.
this will create a 'authorized_keys' file.

Shouldn't this be /usr/local/root/.ssh/authorized_keys? (I have a WL-HHD with oleg fw. Maybe its other than WL-700. Pardon if this is wrong...)
For me the file is only saved after a

Code:

flashfs save && flashfs commit && flashfs enable

now add '-s' to your rc.local and your init.d file so they read '/opt/sbin/dropbear -s' this will disable ordinary password logins.

Reboot your router.

Do this only after checking its working.
If the key file is not saved and dropbear only accepts passwordless logins you are barred.

Now in Putty, go to settings->Connection->SSH->Auth here browse to your private key you saved with puttygen.

now when you login, you need to have the key and the passphrase for that key (you specified passphrase in puttygen)

you now efficiently stopped any kind of bruteforce attacks

/regards
Henrik

Thanks for your howto. it helped me a lot.
wengi