FreshTomato Wiki

User Tools

Site Tools

Trace:
router_to_router_ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
router_to_router_ssh [2021/09/22 01:36] – [Example] hogwildrouter_to_router_ssh [2024/10/31 22:39] (current) – [Setting up/Establishing a Tunnel] hogwild
Line 1: Line 1:
-====== Enable Password-less” Router-to-Router SSH Encryption ======+====== Enable Password-less Router-to-Router SSH Encryption ======
  
 ===== Overview ===== ===== Overview =====
  
-FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate KeyPair that offers password-less connections. A command is run on the primary router which generates a public key.  That Public Key must then be pasted into the secondary router’s //Authorized Keys //fieldin the SSH Daemon section of the Administration/[[:admin_access|Admin Access]] menu.\\ This allows command-line management of the secondary router (or "SSH Host"from primary router(the "SSH Client"). This can be useful when the system clock is not maintained in the secondary router and time-sensitive jobs must be scheduled. For exampleas seen below, it may be useful to switch wireless radio(son or off to a schedule (not shown). It could also be used to run scripts on the target for any supported command.+This setup allows a primary router, (the "SSH Client"to control secondary router (the "SSH Host"), from the command-linethrough an encrypted (tunnelconnection.
  
 +FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate an encryption KeyPair that offers passwordless connections. A command is run on the primary router which generates a public key.  That Public Key must then be entered into the secondary router’s //Authorized Keys //field, in the SSH Daemon section of the [[:admin_access|Admin Access]] menu.\\  \\ This can be useful, for example:
  
-===== HOWTO =====+ \\
  
-  - On the primary router (the one issuing SSH commands) type the command: \\ **dropbearkey -t rsa -f ~/.ssh/id_dropbear** command to generate the KeyPair\\ This will display result similar to that shown below. Leave this window open. \\ You will need it for step 2.+  * When the the secondary router system doesn't maintain a system clock, \\ and time-sensitive jobs must be scheduled. 
 +  For running scripts on the secondary router using supported commands. 
 +  * As seen below, for switching wireless radio(s) on/off on schedule (not shown).
  
-\\ {{:pasted:20210921-152323.png}}+===== Setting up/Establishing a Tunnel =====
  
-\\  \\+Follow these steps to generate a Keypair and establish an SSH tunnel:
  
-  - Copy and paste the Public key portion from the primary router \\ to the secondary router’s “Authorized Keys” field, as seen below:+  - On the primary router (the one issuing SSH commands) generate a Keypair \\ by typing the command:  "dropbearkey -t rsa -f ~/.ssh/id_dropbear". \\ \\ This will display a result similar to that shown below. Leave this window open. \\ You'll need it for step 2. \\ \\ {{:pasted:20210921-152323.png?744}} \\ \\ \\  
 +  - Copy the Public key portion from the primary router and paste it  \\ into the “Authorized Keys” field in secondary router: \\ \\ {{:pasted:20210921-152415.png?739}} \\ \\ \\  
 +  - In the above screenshota pre-existing, unrelated key was redacted. \\ \\  
 +  - Now, connect to the secondary router via SSH (running on the primary router).  \\ The example below uses the //nvram// command to display the hostname. \\ \\ \\ The first command string ("ssh root@192.168.10.1 nvram get lan_hostname")** **\\ executes the command on the secondary router and then \\ it ["nvram get lan_hostname"] is executed locally, on the primary router. \\ \\ \\ {{:pasted:20210921-152503.png?741}}
  
-\\ {{:pasted:20210921-152415.png}}+ \\
  
-Note that a pre-existing, and unrelated key is redacted above.  \\ + \\
-\\ +
-\\ +
-  - Now, connect to the secondary router from within an SSH session (running on the primary router). The example below uses the **nvram** command to display the host name. The first command string (**ssh root@192.168.10.1 nvram get lan_hostname) **executes the command on the secondary router and then it [nvram get lan_hostname] is executed locally, on the primary router.+
  
-\\ {{:pasted:20210921-152503.png}}+ \\
  
  
-==== Example ====+===== Usage Example =====
  
-This example will enable/disable the eth1 5Ghz Wi-Fi interface on the secondary router. (Note that temperature is shown only when the radio is On). +This example enables/disables the secondary router'eth1 5Ghz WiFi interface. (Temperature is shown only when the interface is enabled).\\  \\ 
-\\ + 
-\\ +  - This screenshot shows the Primary router's status before the command is run: \\ \\ {{:pasted:20210921-152542.png?736}} \\ \\  \\  
-  - This shows the status display before ([Primary routerthe command is run.\\ {{:pasted:20210921-152542.png}} +  - Now, we run the command ("//ssh root@192.168.10.1 radio toggle 1"//): \\ \\ {{:pasted:20210921-152607.png?744}} \\ \\  \\  
-\\ +  This shows the status after the command is run: \\ \\ {{:pasted:20210921-152637.png?761}} \\  \\ 
-  - Command [**ssh root@192.168.10.1 radio toggle 1**] executed.\\ {{:pasted:20210921-152607.png}} + 
-\\  + \\ Since "radio toggle 1" is  a toggle switch, if the same command is repeated, the eth1 interface will be disabled on the primary router.
- Here is the status displayed after the command is run.+
  
-\\ {{:pasted:20210921-152637.png}} 
 \\ \\
-\\ 
-(If the same command is repeated, eth1 will be disabled on the primary router.) 
  
-\\ **Notes**+ \\ 
 + 
 +===== Passwordless Router-to-Router SSH Notes ===== 
 + 
 +  The SSH daemon must be enabled on both routers. 
 +  The key generated will be erased after a reboot of the Primary router. 
 +    Either keep a copy of the "id_dropbear" file offline \\ (on a flash drive, or CIFS Client share) for restoration, or; 
 +    Be prepared to repeat (steps 1. and 2.) after a reboot, \\ removing any redundant key from the secondary router. 
 + 
 + This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] v0.76 and FreshTomato 2021.5. 
 + 
 + Inspiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article. The process was first documented [[https://www.linksysinfo.org/index.php?threads/%E2%80%9Cpassword-less%E2%80%9D-router-to-router-ssh-how-to.76761/|here]]. 
 + 
 + \\
  
-\\ SSH must be enabled on both routers. \\ The key generated is not preserved across a reboot of the [primary] router. Either keep a copy of the id_dropbear file offline [on a UFD or “CIFS Client” share] for restoration, or be prepared to repeat the procedure [steps 1 & 2 under “**How To**”] after a reboot [removing any redundant key from the secondary router during the process]. \\ This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] [v0.76] and FreshTomato v2021.5. \\ Insiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article [and this process was first documented [[https://www.linksysinfo.org/index.php?threads/%E2%80%9Cpassword-less%E2%80%9D-router-to-router-ssh-how-to.76761/|here]]].+ \\
  
  
router_to_router_ssh.1632270988.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki