The Admin Access menu contains settings for who is allowed to administer the router and access the network, how those users can connect, and related settings. The Admin Access menu is divided into sections. The sections include Web Admin, SSH Daemon, Telnet Daemon, Admin Restrictions and Username/Password.
The Web Admin section includes settings to control who can access Tomato's web interface, how and from where. It also contains settings to choose which menus stay nested or shown and for the web interface's colour scheme.
Local Access: This menu contains choices to control which web protocol(s) are allowed for communication to the web interface via the LAN.
HTTP Port: In this field, you enter the port number on which you want HTTP administration traffic to flow. (Default: 80).
Remote Access: This menu let you choose if and how a user can remotely access Tomato's web interface.
Allow Wireless Access: Selecting this allows wireless clients to access the web interface, as well as Ethernet clients.
Directory with GUI files: Here, you can select the directory which contains the files which provide the graphical web interface.
(Default: /www). CAUTION: It is recommended you don't change this setting unless you're experienced. Making an error here could cause you to be unable to access Tomato's web interface.
Color Scheme: Here, you can choose the color scheme used for the web interface pages.
Open Menus: Checking any menu name here will show all that menu's submenus as open. Any menu that is unchecked will display its submenus as nested.
Secure SHell is a tunneling protocol which allows you to make secure local and remote connections to the Tomato router. With the help of the Dropbear service, it also allows you to make SSH connections though the router, to LAN client devices. Seetings in this section let you enable or disable the SSH Daemon, and the Dropbear daemon, and configure their settings.
Enable at Startup: Checking this starts the SSH Daemon when the router boots. (Default: Enabled).
Extended MOTD: Checking this enables the Message of the Day function. This function displays a custom message when you first log in via Telnet. The message can be can be important information or updates about the system or just a personal greeting from the system admin.
Remote Access: Checking this allows SSH connections from remote (WAN/Internet) clients. (Default: Disabled).
Remote Forwarding: Checking this box enables the Dropbear service, the server/daemon that provides SSH services on the router, supporting SSH port tunneling/forwarding. Do not confuse this with standard (local) Port Forwarding.
For example, say you want to be able to access a Windows PC on your LAN via Remote Desktop, but you don't want the security risk of opening up a port for RDP to the Internet directly, via standard Port Forwarding. Instead, you can make an SSH connection into the router with an SSH port tunnel/forward configured (example: 127.0.0.1:1234 gets tunnelled/forwarded through SSH to 192.168.1.66:3389, so that when you're SSH'd into the router, you can open up Remote Desktop on the machine running the SSH client, and connect to 127.0.0.1:1234 and you're connected to the machine 192.168.1.66 on your LAN – securely (because all the traffic flows across SSH, thus is encrypted. Although, RDP is an encrypted protocol as well)).
Port: Here, you can enter the port number on which you want SSH traffic to flow. (Default: 22). Changing the port number from the default is highly recommended, as port 22 is being constantly scanned by Internet hackers.
Allow Password Login: Checking this allows clients to login via SSH with only Tomato's normal username and password. No authorized encryption key is needed. When disabled, SSH will require an authorized key to allow a client to log on.
Authorized Keys: Here you can enter one or more encryption keys which authorize an SSH client to access to the LAN.
(Terminal EmuLation over the NEtwork) is a protocol which allows LAN and remote connections via a command-line interface. Telnet is not a secure protocol.
Enable at Startup: Checking this enables the Telnet Daemon, allowing connections to Tomato via Telnet.
Port: Here, you can enter the port number on which Telnet connections will be made to the router.
Stop Now / Start Now. Clicking this button immediately stops the Telnet Daemon. Note that after the Telnet daemon is stopped via this method, it will be restarted during Tomato's next reboot (if Enable at Startup is checked). When the Telnet Daemon has stopped, the button will change to read Start Now.
Clicking Start Now immediately starts the Telnet Daemon. When Telnet is finished starting, the text on this button will change back to Stop Now.
Allowed Remote IP Address: Here, you can specify the IP addresses or DNS names of hosts you want to allow to connect to the Tomato router's web aministration interface. Addresses can be individual, separated with commas, or a range separated by a dash, such as 18.104.22.168-22.214.171.124 . This setting applies to local and remote administration via HTTP, HTTPS, SSH (if enabled) and Telnet (if enabled).
Limit Connection Attempts: Here, you can specify whether you want SSH or Telnet connection attempts to be limited to a certain number of attempts (n) at a certain frequency (f). (Default: 3 connection attempts allowed every 60 seconds).
Checking SSH limits the number of SSH connection attempts to number n at frequency f (in seconds). Checking Telnet limits the number of Telnet connection attempts to number n at frequency s (in seconds).
The Username/Password section is used to set Tomato's main logon Username and Password. You are strongly urged to change these from the default settings to keep the router and network secure.
Username: Here, you enter the Tomato logon Username you wish to set. Leaving this field empty sets the username as “root”. (Default: “root”).
Password: Here, you enter the Tomato logon password you wish to set. (Default: “admin”).
Re-enter to confirm: In this field, you enter the password again to confirm this is the password you want. The password will only be changed when the text entere in this field and the text entered in the Password field match exactly.