====== Enable Password-less Router-to-Router SSH Encryption ====== ===== Overview ===== This setup allows a primary router, (the "SSH Client") to control a secondary router (the "SSH Host"), from the command-line, through an encrypted (tunnel) connection. FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate an encryption KeyPair that offers passwordless connections. A command is run on the primary router which generates a public key. That Public Key must then be entered into the secondary router’s //Authorized Keys //field, in the SSH Daemon section of the [[:admin_access|Admin Access]] menu.\\ \\ This can be useful, for example: * When the the secondary router system doesn't maintain a system clock, and time-sensitive jobs must be scheduled. * For running scripts on the secondary router using any supported commands. * As seen below, for switching wireless radio(s) on or off on a schedule (not shown). ===== Setting up/Establishing a Tunnel ===== Follow these steps to generate a Keypair and establish an SSH tunnel: - On the primary router (the one issuing SSH commands) generate a Keypair by typing the command: \\ "dropbearkey -t rsa -f ~/.ssh/id_dropbear" \\ \\ This will display a result similar to that shown below. Leave this window open, as you'll need it for step 2. \\ \\ {{:pasted:20210921-152323.png?744}} \\ \\ - Copy the Public key portion from the primary router and paste it into the “Authorized Keys” field in secondary router: \\ \\ {{:pasted:20210921-152415.png?739}} \\ \\ - In the above screenshot, a pre-existing, unrelated key was redacted. \\ \\ - Now, connect to the secondary router via an SSH session (running on the primary router). \\ The example below uses the //nvram// command to display the hostname. \\ The first command string ("ssh root@192.168.10.1 nvram get lan_hostname")** **executes the command on the secondary router and then it [nvram get lan_hostname] is executed locally, on the primary router. \\ \\ \\ {{:pasted:20210921-152503.png?741}} \\ \\ ===== Usage Example ===== This example will enable/disable the eth1 5Ghz WiFi interface on the secondary router. (Temperature is shown only when the interface is enabled). \\ \\ - This screenshot shows the status display of the Primary router before before the command is run: \\ \\ {{:pasted:20210921-152542.png?736}} \\ \\ - Now, we run the command (//ssh root@192.168.10.1 radio toggle 1//): \\ \\ {{:pasted:20210921-152607.png?744}} \\ \\ - This shows the status display after the command is run: \\ \\ {{:pasted:20210921-152637.png?761}} \\ \\ Since "radio toggle 1" is a toggle switch, if the same command is repeated, the eth1 interface will be disabled on the primary router. \\ \\ ===== Passwordless Router-to-Router SSH Notes ===== * The SSH daemon must be enabled on both routers. * The key generated will be erased after a reboot of the Primary router. * Either keep a copy of the "id_dropbear" file offline (on a flash drive, or CIFS Client share) for restoration, or; * Be prepared to repeat (steps 1. and 2.) after a reboot, removing any redundant key from the secondary router. * This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] v0.76 and FreshTomato release 2021.5. * Inspiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article. * The process was first documented [[https://www.linksysinfo.org/index.php?threads/%E2%80%9Cpassword-less%E2%80%9D-router-to-router-ssh-how-to.76761/|here]].