- Paswordless public key-based SSH login on router with Asus Merlin firmware
- Настройка ssh роутер asus
- ASUS Router Simple Local SSH access
- ASUS Router SSH WAN Access Using SSH Keys
- Asus RT-N66U Enable SSH Access
- 4 Answers 4
- How to get maximum from your Asus router — Part 2
- Enabling SSH
- Generating public/private key pairs
Paswordless public key-based SSH login on router with Asus Merlin firmware
I’m trying to enable passwordless SSH login on my ASUS RT-AC68U home router which runs version 384.4_2 of Asuswrt-Merlin firmware (the most recent one at the time of posting this). Having read many posts and howtos (including this one), I still can’t get it working. I use PUTTYGEN to generate a pair of RSA-2048 keys, save the public key at ~/.ssh/authorized_keys on the router, then try to connect with PUTTY, which I’ve limited to RSA only. As PUTTY negotiates the session encryption, it prompts to accept the public key provided by the server. I expect it to be my key from ~/.ssh/authorized_keys but instead I’m always seeing the dropbear’s own public key (from /etc/dropbear/dropbear_rsa_host_key ). I know it’s that one by running dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key . The permission for ~/.ssh folder is set to 700 , for ~/.ssh/authorized_keys to 600 . The key is saved via the router’s Web UI in the correct format (i.e., ssh-rsa AAAA. 5iYw== rsa-key-20180401 , no line breaks). I tried both root and admin as the SSH user. I also tried everything from scratch, after resetting the router to the factory settings, with the same result. Is there anything I’m missing? At this point, I think my only option would be to extract the dropbear’s private key from /etc/dropbear/dropbear_rsa_host_key and use it instead of generating my own.
Extracting drop ears private key won’t help. Have you considered flashing kong dd-wrt. Adding your public keys via the web interface is trivial with that.
@davidgo, I haven’t tried dd-wrt, but i did try extracting dropbear’s private key and use it with putty and it actually works. Just not happy that the private key lives in the router itself.
Настройка ssh роутер asus
There are two simple methods (which can also be combined) for SSH access depending on your use case.
The first is simple SSH access using the router’s login credentials. This method is most appropriate inside your home network where the risk of outsiders gaining access from the internet is minimal.
The second method is SSH access from outside your home network for which you should use SSH keys and block simple password login. This means any intruder will be automatically denied access since they don’t have the right key.
Quick Summary: Our Top Picks for Asus Routers
I want to see the top picks for Asus Routers
Both of these methods can be combined so you can allow both SSH keys and simple passwords from outside your home network. Ideally if you want to use simple passwords you should VPN into your Asus router instead in which case you would not need to enable WAN SSH access.
I have provided a working example using an SSH key that has already been destroyed.
ASUS Router Simple Local SSH access
Log into the web interface of the Asus Router
Click Administration in the left pane
Click the System Tab
Under SSH Daemon section set Enable SSH to Yes
Set the SSH service port if you don’t want to use the standard SSH port (22)
Set Allow SSH password login to Yes
Set Enable SSH Brute Force Protection to Yes
Scroll down and click Apply
ASUS Router SSH WAN Access Using SSH Keys
This section assumes you already have an SSH key generated, I use PuTTYgen (a guide will be posted eventually but see this one for an overview)
Log into the web interface of the Asus Router
Click Administration in the left pane
Click the System Tab
Under SSH Daemon section set Enable SSH to Yes
Set the SSH service port if you don’t want to use the standard SSH port number 22
If you want SSH access outside your home network set Allow SSH access from WAN to yes
Note that if you are using a private VPN to gain access to your home network, you do not need to Allow SSH access from WAN.
Set Allow SSH password login to No for maximum security
Paste your SSH Public key (not the private key!) in the SSH Authentication key box
Set Enable SSH Brute Force Protection to Yes
Scroll down and click Apply
Now you have enabled SSH access on your ASUS router so you can install additional software, change configurations, enable custom DDNS (guide incoming) and more.
Asus RT-N66U Enable SSH Access
Is the option to enable ssh access to this router not available in the stock version of the firmware? I can only see «Enable Telnet» under Administration -> System.
That’s kind of lame. Telnet is sent over the network in plain text and is not secure. I have firmware version 3.0.0.4.376_1071 and that is the latest version according to the check for updates feature on the router. If you Google around, other people have been talking about SSH access into this popular router. Are they using some custom firmware?
I’m not familiar with this particular router, but did you check to make sure that SSH is not just always on (so there is no option to enable/disable it)?
3.0.x firmwares are wrt based so you do not necessarily need a custom firmware to add some functionality. See irq5.io/2012/12/10/hacking-functionality-into-asuswrt-routers Also, see github.com/RMerl/asuswrt-merlin/wiki which is a fork of ASUSWRT to give you more options. Finally, note that telnet on a local confined LAN is kina OK (though not a good practice).
4 Answers 4
are they using some custom firmware?
Yes, most owners of this router use custom firmware like tomato or mods thereof.
Even though this is a year old I wanted to chime in with what I found because I was just now trying to get sshd working on the same router after reading similar pages.
I’m using version 3.0.0.4.376_3861 and they still haven’t added in sshd. I got a chuckle out of the hidden ssh options in the menu. They are still there, but don’t work. I telnetted in and did nvram show | grep ssh . Nothing was already there, but I tried shinji14’s answer anyway. I tried with reboot too, but nmap still showed no SSH on a port scan. I then telnetted back in and tried ls -alR —color=always | more and after scanning the results I saw that they are using BusyBox. I couldn’t remember if BusyBox had sshd built in so I did busybox —help and didn’t see it in the list.
BusyBox’s site mentions Dropbear for sshd here, so it looks like they are likely using a WRT variant like 0xC0000022L mentioned or they may be putting Dropbear on it. I’ll probably end up trying Dropbear myself. If that works then I’d say it’d be the way to go because one could pretty much keep it stock and then just put it back on anytime an official update is installed.
How to get maximum from your Asus router — Part 2
In Part 1 we were talking about flashing with ASUSWRT-MERLIN firmware, and now let’s see how can we connect to your router.
Enabling SSH
In order to enable SSH we need to navigate to Administration -> System.
In services section we are going to enable SSH only from your local network by setting it to “Lan only”. We are going to change our default port from 22 to 4445 in my case, for security reasons. We will set “Allow Password Login” to false and instead of using password we will be generating private/public key pair.
Generating public/private key pairs
Let’s go to terminal on our local computer and navigate to cd ~/.ssh
Now let’s generate new public/private key pairs by typing ssh-keygen
We will need to specify name of the file we key pairs are going to be saved. You can skip setting up passphrase. Now we can take content of our public key my_router.pub and add it to Authorized Keys section as visible on previous screenshot.
We can try connecting to our router by typing:
ssh [username]@[IP address] -p 4445 -i ~/.ssh/my_router
where [username] is username you are using to login to your router GUI and [IP address] is it’s address. We use -p 4445 parameter to connect to custom port we defined earlier.
Now let’s simplify our connection by creating configuration file. Let’s start by typing nano ~/.ssh/config and put in following content inside:
Host router
HostName [IP Address]
User [username]
Port 4445
IdentityFile ~/.ssh/my_router
Now we can connect to router by simply typing ssh router .
That’s it for Part 2. In Part 3 we are going to talk about installing custom software to our router.