FreshTomato Wiki

User Tools

Site Tools

Trace:
router_to_router_ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
router_to_router_ssh [2021/09/21 18:47] – [How To] hogwildrouter_to_router_ssh [2024/10/31 22:39] (current) – [Setting up/Establishing a Tunnel] hogwild
Line 1: Line 1:
-====== Enable Password-less” Router-to-Router SSH Encryption ======+====== Enable Password-less Router-to-Router SSH Encryption ======
  
 ===== Overview ===== ===== Overview =====
  
-FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate KeyPair that offers password-less connections. A command is run on the primary router which generates a public key.  That Public Key must then be pasted into the secondary router’s //Authorized Keys //fieldin the SSH Daemon section of the Administration/[[:admin_access|Admin Access]] menu.\\ This allows command-line management of the secondary router (or SSH Host) from a primary router, (the SSH Client). This can be useful when the system clock is not maintained in the secondary router and time-sensitive jobs must be scheduled. For exampleas seen below, it may be useful to switch wireless radio(son or off to a schedule (not shown). It could also be used to run scripts on the target for any supported command.+This setup allows a primary router, (the "SSH Client") to control a secondary router (the "SSH Host")from the command-linethrough an encrypted (tunnelconnection.
  
 +FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate an encryption KeyPair that offers passwordless connections. A command is run on the primary router which generates a public key.  That Public Key must then be entered into the secondary router’s //Authorized Keys //field, in the SSH Daemon section of the [[:admin_access|Admin Access]] menu.\\  \\ This can be useful, for example:
  
-===== How To =====+ \\
  
-  - On the primary router (the one issuing SSH commands) type the **dropbearkey -rsa -f ~/.ssh/id_dropbear** command to generate the KeyPairThis will display result similar to that shown below. Leave this window open; you will need it for step 2.+  * When the the secondary router system doesn'maintain a system clock, \\ and time-sensitive jobs must be scheduled. 
 +  For running scripts on the secondary router using supported commands. 
 +  * As seen below, for switching wireless radio(s) on/off on schedule (not shown).
  
-\\ {{:pasted:20210921-152323.png}}+===== Setting up/Establishing a Tunnel =====
  
-  - Now, copy and paste the “Public Key portion” from the primary router to the secondary router’s “Authorized Keys” field, as seen below:+Follow these steps to generate a Keypair and establish an SSH tunnel:
  
-\\ {{:pasted:20210921-152415.png}}+  - On the primary router (the one issuing SSH commands) generate a Keypair \\ by typing the command:  "dropbearkey -t rsa -f ~/.ssh/id_dropbear". \\ \\ This will display a result similar to that shown below. Leave this window open. \\ You'll need it for step 2. \\ \\ {{:pasted:20210921-152323.png?744}} \\ \\ \\  
 +  - Copy the Public key portion from the primary router and paste it  \\ into the “Authorized Keys” field in secondary router: \\ \\ {{:pasted:20210921-152415.png?739}} \\ \\ \\  
 +  - In the above screenshot, a pre-existing, unrelated key was redacted. \\ \\  
 +  - Now, connect to the secondary router via SSH (running on the primary router).  \\ The example below uses the //nvram// command to display the hostname. \\ \\ \\ The first command string ("ssh root@192.168.10.1 nvram get lan_hostname")** **\\ executes the command on the secondary router and then \\ it ["nvram get lan_hostname"] is executed locally, on the primary router. \\ \\ \\ {{:pasted:20210921-152503.png?741}}
  
-[Note that a pre-existing, and unrelated, key is redacted above.]+ \\
  
-\\ 03 - Connect to the secondary router from within an SSH session [running on the primary router]. The example below uses the **nvram** command to display the host name. The first command string [**ssh root@192.168.10.1 nvram get lan_hostname**] executes the command on the secondary router and then it is executed locally [**nvram get lan_hostname**].+ \\
  
-\\ {{:pasted:20210921-152503.png}}+ \\
  
-\\ **Example** 
  
-Enable/Disable the eth1 5Ghz radio on the secondary router. [Note that a temperature is shown only when the radio is *On.]+===== Usage Example =====
  
-\\ 01 - Status before [Primary router].+This example enables/disables the secondary router's eth1 5Ghz WiFi interface(Temperature is shown only when the interface is enabled).\\  \\
  
-\\ {{:pasted:20210921-152542.png}}+  - This screenshot shows the Primary router's status before the command is run: \\ \\ {{:pasted:20210921-152542.png?736}} \\ \\  \\  
 +  - Now, we run the command ("//ssh root@192.168.10.1 radio toggle 1"//): \\ \\ {{:pasted:20210921-152607.png?744}} \\ \\  \\  
 +  - This shows the status after the command is run: \\ \\ {{:pasted:20210921-152637.png?761}} \\  \\
  
-\\ 02 - Command [**ssh root@192.168.10.1 radio toggle 1**] executed.+ \\ Since "radio toggle 1" is  a toggle switch, if the same command is repeated, the eth1 interface will be disabled on the primary router.
  
-\\ {{:pasted:20210921-152607.png}}+\\
  
-\\ 03 - Status after.+ \\
  
-\\ {{:pasted:20210921-152637.png}}+===== Passwordless Router-to-Router SSH Notes =====
  
-[If the same command is repeated, eth1 will be switched *Off on the primary router.]+  * The SSH daemon must be enabled on both routers. 
 +  * The key generated will be erased after a reboot of the Primary router. 
 +    Either keep a copy of the "id_dropbear" file offline \\ (on a flash drive, or CIFS Client share) for restoration, or; 
 +    * Be prepared to repeat (steps 1. and 2.) after a reboot, \\ removing any redundant key from the secondary router.
  
-\\ **Notes**+ This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] v0.76 and FreshTomato 2021.5.
  
-\\ SSH must be enabled on both routers. \\ The key generated is not preserved across a reboot of the [primary] router. Either keep a copy of the id_dropbear file offline [on a UFD or “CIFS Client” share] for restoration, or be prepared to repeat the procedure [steps 1 & 2 under “**How To**”] after a reboot [removing any redundant key from the secondary router during the process]. \\ This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] [v0.76] and FreshTomato v2021.5. \\ Insiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article [and this process was first documented [[https://www.linksysinfo.org/index.php?threads/%E2%80%9Cpassword-less%E2%80%9D-router-to-router-ssh-how-to.76761/|here]]].+ Inspiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article. The process was first documented [[https://www.linksysinfo.org/index.php?threads/%E2%80%9Cpassword-less%E2%80%9D-router-to-router-ssh-how-to.76761/|here]]. 
 + 
 + \\ 
 + 
 + \\
  
  
router_to_router_ssh.1632246464.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki