====== Enable Password-less Router-to-Router SSH Encryption ====== ===== Overview ===== This setup allows a primary router, (the "SSH Client") to control a secondary router (the "SSH Host"), from the command-line, through an encrypted (tunnel) connection. FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate an encryption KeyPair that offers passwordless connections. A command is run on the primary router which generates a public key. That Public Key must then be entered into the secondary router’s //Authorized Keys //field, in the SSH Daemon section of the [[:admin_access|Admin Access]] menu.\\ \\ This can be useful, for example: \\ * When the the secondary router system doesn't maintain a system clock, \\ and time-sensitive jobs must be scheduled. * For running scripts on the secondary router using supported commands. * As seen below, for switching wireless radio(s) on/off on a schedule (not shown). ===== Setting up/Establishing a Tunnel ===== Follow these steps to generate a Keypair and establish an SSH tunnel: - On the primary router (the one issuing SSH commands) generate a Keypair \\ by typing the command: "dropbearkey -t rsa -f ~/.ssh/id_dropbear". \\ \\ This will display a result similar to that shown below. Leave this window open. \\ You'll need it for step 2. \\ \\ {{:pasted:20210921-152323.png?744}} \\ \\ \\ - Copy the Public key portion from the primary router and paste it \\ into the “Authorized Keys” field in secondary router: \\ \\ {{:pasted:20210921-152415.png?739}} \\ \\ \\ - In the above screenshot, a pre-existing, unrelated key was redacted. \\ \\ - Now, connect to the secondary router via SSH (running on the primary router). \\ The example below uses the //nvram// command to display the hostname. \\ \\ \\ The first command string ("ssh root@192.168.10.1 nvram get lan_hostname")** **\\ executes the command on the secondary router and then \\ it ["nvram get lan_hostname"] is executed locally, on the primary router. \\ \\ \\ {{:pasted:20210921-152503.png?741}} \\ \\ \\ ===== Usage Example ===== This example enables/disables the secondary router's eth1 5Ghz WiFi interface. (Temperature is shown only when the interface is enabled).\\ \\ - This screenshot shows the Primary router's status before the command is run: \\ \\ {{:pasted:20210921-152542.png?736}} \\ \\ \\ - Now, we run the command ("//ssh root@192.168.10.1 radio toggle 1"//): \\ \\ {{:pasted:20210921-152607.png?744}} \\ \\ \\ - This shows the status after the command is run: \\ \\ {{:pasted:20210921-152637.png?761}} \\ \\ \\ Since "radio toggle 1" is a toggle switch, if the same command is repeated, the eth1 interface will be disabled on the primary router. \\ \\ ===== Passwordless Router-to-Router SSH Notes ===== * The SSH daemon must be enabled on both routers. * The key generated will be erased after a reboot of the Primary router. * Either keep a copy of the "id_dropbear" file offline \\ (on a flash drive, or CIFS Client share) for restoration, or; * Be prepared to repeat (steps 1. and 2.) after a reboot, \\ removing any redundant key from the secondary router. This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] v0.76 and FreshTomato 2021.5. Inspiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article. The process was first documented [[https://www.linksysinfo.org/index.php?threads/%E2%80%9Cpassword-less%E2%80%9D-router-to-router-ssh-how-to.76761/|here]]. \\ \\