Site Tools


This is an old revision of the document!

Enable “Password-less” Router-to-Router SSH Encryption


FreshTomato includes Dropbear, an SSH client/server program. Dropbear can generate a KeyPair that offers password-less connections. A command is run on the primary router which generates a public key. That Public Key must then be pasted into the secondary router’s Authorized Keys field, in the SSH Daemon section of the Administration/Admin Access menu.

This allows command-line management of the secondary router (or “SSH Host”) from a primary router, (the “SSH Client”). This can be useful when the system clock is not maintained in the secondary router and time-sensitive jobs must be scheduled. For example, as seen below, it may be useful to switch wireless radio(s) on or off to a schedule (not shown). It could also be used to run scripts on the target for any supported command.


  1. On the primary router (the one issuing SSH commands) type the command:
    dropbearkey -t rsa -f ~/.ssh/id_dropbear command to generate the KeyPair.
    This will display a result similar to that shown below. Leave this window open.
    You will need it for step 2.

  1. Copy and paste the Public key portion from the primary router
    to the secondary router’s “Authorized Keys” field, as seen below:

Note that a pre-existing, and unrelated key is redacted above.

  1. Now, connect to the secondary router from within an SSH session (running on the primary router). The example below uses the nvram command to display the host name. The first command string (ssh root@ nvram get lan_hostname) executes the command on the secondary router and then it [nvram get lan_hostname] is executed locally, on the primary router.


This example will enable/disable the eth1 5Ghz Wi-Fi interface on the secondary router. (Temperature is shown only when the interface is on).

  1. This shows the status display before ([Primary router) the command is run:

  1. Here, the command (ssh root@ radio toggle 1) executed:
  1. And here is the status display after the command is run.

If the same command is repeated, eth1 will be disabled on the primary router.


  • SSH must be enabled on both routers.
  • The key generated is erase after a reboot of the primary router. Either keep a copy of the id_dropbear file offline (on a flash drive, or CIFS Client share) for restoration, or be prepared to repeat the procedure (“HOWTO” steps 1 and 2) after a reboot [removing any redundant key from the secondary router during the process].
    This guide was produced using PuTTY [v0.76] and FreshTomato v2021.5.
    Insiration was provided by this article [and this process was first documented here].
/home/fresoehv/wiki/data/pages/router_to_router_ssh.txt · Last modified: 2021/09/22 05:44 by hogwild