Enable Password-less Router-to-Router SSH Encryption

This setup allows a primary router, (the “SSH Client”) to control a secondary router (the “SSH Host”), from the command-line, through an encrypted (tunnel) connection.

FreshTomato includes Dropbear, an SSH client/server program. Dropbear can generate an encryption KeyPair that offers passwordless connections. A command is run on the primary router which generates a public key. That Public Key must then be entered into the secondary router’s Authorized Keys field, in the SSH Daemon section of the Admin Access menu.

This can be useful, for example:

• When the the secondary router system doesn't maintain a system clock,
  and time-sensitive jobs must be scheduled.
• For running scripts on the secondary router using supported commands.
• As seen below, for switching wireless radio(s) on/off on a schedule (not shown).

Follow these steps to generate a Keypair and establish an SSH tunnel:

1. On the primary router (the one issuing SSH commands) generate a Keypair
   by typing the command: “dropbearkey -t rsa -f ~/.ssh/id_dropbear”.
   
   This will display a result similar to that shown below. Leave this window open.
   You'll need it for step 2.
   
   
   
   
   
2. Copy the Public key portion from the primary router and paste it
   into the “Authorized Keys” field in secondary router:
   
   
   
   
   
3. In the above screenshot, a pre-existing, unrelated key was redacted.
   
   
4. Now, connect to the secondary router via SSH (running on the primary router).
   The example below uses the nvram command to display the hostname.
   
   
   The first command string (“ssh root@192.168.10.1 nvram get lan_hostname”)
   executes the command on the secondary router and then
   it [“nvram get lan_hostname”] is executed locally, on the primary router.
   
   
   

This example enables/disables the secondary router's eth1 5Ghz WiFi interface. (Temperature is shown only when the interface is enabled).

1. This screenshot shows the Primary router's status before the command is run:
   
   
   
   
   
2. Now, we run the command (“ssh root@192.168.10.1 radio toggle 1”):
   
   
   
   
   
3. This shows the status after the command is run:
   
   
   
   

Since “radio toggle 1” is a toggle switch, if the same command is repeated, the eth1 interface will be disabled on the primary router.

• The SSH daemon must be enabled on both routers.
• The key generated will be erased after a reboot of the Primary router.
  • Either keep a copy of the “id_dropbear” file offline
    (on a flash drive, or CIFS Client share) for restoration, or;
  • Be prepared to repeat (steps 1. and 2.) after a reboot,
    removing any redundant key from the secondary router.

This guide was produced using PuTTY v0.76 and FreshTomato 2021.5.

Inspiration was provided by this article. The process was first documented here.