Site Tools


router_to_router_ssh

This is an old revision of the document!


Enable “Password-less” Router-to-Router SSH Encryption

Overview

FreshTomato includes Dropbear, an SSH client/server program. Dropbear can generate a KeyPair that offers password-less connections. A command is run on the primary router which generates a public key. That Public Key must then be pasted into the secondary router’s Authorized Keys field, in the SSH Daemon section of the Administration/Admin Access menu.
This allows command-line management of the secondary router (or SSH Host) from a primary router, (the SSH Client). This can be useful when the system clock is not maintained in the secondary router and time-sensitive jobs must be scheduled. For example, as seen below, it may be useful to switch wireless radio(s) on or off to a schedule (not shown). It could also be used to run scripts on the target for any supported command.

HOWTO

  1. On the primary router (the one issuing SSH commands) type the command:
    dropbearkey -t rsa -f ~/.ssh/id_dropbear command to generate the KeyPair.
    This will display a result similar to that shown below. Leave this window open.
    You will need it for step 2.


  1. Now, copy and paste the “Public Key portion” from the primary router
    to the secondary router’s “Authorized Keys” field, as seen below:


[Note that a pre-existing, and unrelated, key is redacted above.]


03 - Connect to the secondary router from within an SSH session [running on the primary router]. The example below uses the nvram command to display the host name. The first command string [ssh root@192.168.10.1 nvram get lan_hostname] executes the command on the secondary router and then it is executed locally [nvram get lan_hostname].



Example

Enable/Disable the eth1 5Ghz radio on the secondary router. [Note that a temperature is shown only when the radio is *On.]


01 - Status before [Primary router].



02 - Command [ssh root@192.168.10.1 radio toggle 1] executed.



03 - Status after.


[If the same command is repeated, eth1 will be switched *Off on the primary router.]


Notes


SSH must be enabled on both routers.
The key generated is not preserved across a reboot of the [primary] router. Either keep a copy of the id_dropbear file offline [on a UFD or “CIFS Client” share] for restoration, or be prepared to repeat the procedure [steps 1 & 2 under “How To”] after a reboot [removing any redundant key from the secondary router during the process].
This guide was produced using PuTTY [v0.76] and FreshTomato v2021.5.
Insiration was provided by this article [and this process was first documented here].

router_to_router_ssh.1632246742.txt.gz · Last modified: 2021/09/21 18:52 by hogwild