Site Tools


Enable Password-less Router-to-Router SSH Encryption


This setup allows a primary router, (the “SSH Client”) to control a secondary router (the “SSH Host”), from the command-line, through an encrypted (tunnel) connection.

FreshTomato includes Dropbear, an SSH client/server program. Dropbear can generate an encryption KeyPair that offers passwordless connections. A command is run on the primary router which generates a public key. That Public Key must then be entered into the secondary router’s Authorized Keys field, in the SSH Daemon section of the Admin Access menu.

This can be useful, for example:

  • When the the secondary router system doesn't maintain a system clock, and time-sensitive jobs must be scheduled.
  • For running scripts on the secondary router using any supported commands.
  • As seen below, for switching wireless radio(s) on or off on a schedule (not shown).

Setting up/Establishing a Tunnel

Follow these steps to generate a Keypair and establish an SSH tunnel:

  1. On the primary router (the one issuing SSH commands) generate a Keypair by typing the command:
    “dropbearkey -t rsa -f ~/.ssh/id_dropbear”

    This will display a result similar to that shown below. Leave this window open, as you'll need it for step 2.

  2. Copy the Public key portion from the primary router and paste it into the “Authorized Keys” field in secondary router:

  3. In the above screenshot, a pre-existing, unrelated key was redacted.

  4. Now, connect to the secondary router via an SSH session (running on the primary router).
    The example below uses the nvram command to display the hostname.
    The first command string (“ssh root@ nvram get lan_hostname”) executes the command on the secondary router and then it [nvram get lan_hostname] is executed locally, on the primary router.

Usage Example

This example will enable/disable the eth1 5Ghz WiFi interface on the secondary router. (Temperature is shown only when the interface is enabled).

  1. This screenshot shows the status display of the Primary router before before the command is run:

  2. Now, we run the command (ssh root@ radio toggle 1):

  3. This shows the status display after the command is run:

    Since “radio toggle 1” is a toggle switch, if the same command is repeated, the eth1 interface will be disabled on the primary router.

Passwordless Router-to-Router SSH Notes

  • The SSH daemon must be enabled on both routers.
  • The key generated will be erased after a reboot of the Primary router.
    • Either keep a copy of the “id_dropbear” file offline (on a flash drive, or CIFS Client share) for restoration, or;
    • Be prepared to repeat (steps 1. and 2.) after a reboot, removing any redundant key from the secondary router.
  • This guide was produced using PuTTY v0.76 and FreshTomato release 2021.5.
  • Inspiration was provided by this article.
  • The process was first documented here.
router_to_router_ssh.txt · Last modified: 2023/05/24 02:08 by hogwild