Site Tools


router_to_router_ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
router_to_router_ssh [2021/09/22 01:38] hogwildrouter_to_router_ssh [2023/05/24 02:08] (current) – [Notes] -changed subhead to "Passwordless Router-to-Router SSH Notes" hogwild
Line 1: Line 1:
-====== Enable Password-less” Router-to-Router SSH Encryption ======+====== Enable Password-less Router-to-Router SSH Encryption ======
  
 ===== Overview ===== ===== Overview =====
  
-FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate KeyPair that offers password-less connections. A command is run on the primary router which generates a public key.  That Public Key must then be pasted into the secondary router’s //Authorized Keys //fieldin the SSH Daemon section of the Administration/[[:admin_access|Admin Access]] menu.\\ This allows command-line management of the secondary router (or "SSH Host"from primary router(the "SSH Client"). This can be useful when the system clock is not maintained in the secondary router and time-sensitive jobs must be scheduled. For exampleas seen below, it may be useful to switch wireless radio(son or off to a schedule (not shown). It could also be used to run scripts on the target for any supported command.+This setup allows a primary router, (the "SSH Client"to control secondary router (the "SSH Host"), from the command-linethrough an encrypted (tunnelconnection.
  
-===== HOWTO =====+FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate an encryption KeyPair that offers passwordless connections. A command is run on the primary router which generates a public key.  That Public Key must then be entered into the secondary router’s //Authorized Keys //field, in the SSH Daemon section of the [[:admin_access|Admin Access]] menu.\\  \\ This can be useful, for example:
  
-  - On the primary router (the one issuing SSH commands) type the command: \\ **dropbearkey -rsa -f ~/.ssh/id_dropbear** command to generate the KeyPair\\ This will display result similar to that shown below. Leave this window open. \\ You will need it for step 2.+  * When the the secondary router system doesn'maintain a system clock, and time-sensitive jobs must be scheduled. 
 +  For running scripts on the secondary router using any supported commands. 
 +  * As seen below, for switching wireless radio(s) on or off on schedule (not shown).
  
-\\ {{:pasted:20210921-152323.png}}+=====  Setting up/Establishing a Tunnel =====
  
-\\  \\+Follow these steps to generate a Keypair and establish an SSH tunnel:
  
-  - Copy and paste the Public key portion from the primary router \\ to the secondary router’s “Authorized Keys” field, as seen below:+  - On the primary router (the one issuing SSH commands) generate a Keypair by typing the command: \\ "dropbearkey -t rsa -f ~/.ssh/id_dropbear" \\ \\ This will display a result similar to that shown below. Leave this window open, as you'll need it for step 2. \\ \\ {{:pasted:20210921-152323.png?744}} \\ \\  
 +  - Copy the Public key portion from the primary router and paste it into the “Authorized Keys” field in secondary router: \\ \\ {{:pasted:20210921-152415.png?739}} \\ \\  
 +  - In the above screenshota pre-existing, unrelated key was redacted. \\ \\  
 +  - Now, connect to the secondary router via an SSH session (running on the primary router).  \\ The example below uses the //nvram// command to display the hostname. \\ The first command string ("ssh root@192.168.10.1 nvram get lan_hostname")** **executes the command on the secondary router and then it [nvram get lan_hostname] is executed locally, on the primary router. \\ \\ \\ {{:pasted:20210921-152503.png?741}}
  
-\\ {{:pasted:20210921-152415.png}}+ \\
  
-Note that a pre-existing, and unrelated key is redacted above.  \\  \\  \\+ \\
  
-  - Now, connect to the secondary router from within an SSH session (running on the primary router). The example below uses the **nvram** command to display the host name. The first command string (**ssh root@192.168.10.1 nvram get lan_hostname) **executes the command on the secondary router and then it [nvram get lan_hostname] is executed locally, on the primary router. 
  
-\\ {{:pasted:20210921-152503.png}}+===== Usage Example =====
  
-==== Example ====+This example will enable/disable the eth1 5Ghz WiFi interface on the secondary router. (Temperature is shown only when the interface is enabled).  \\  \\
  
-This example will enable/disable the eth1 5Ghz Wi-Fi interface on the secondary router. (Temperature is shown only when the interface is on) +  - This screenshot shows the status display of the Primary router before before the command is run: \\ \\ {{:pasted:20210921-152542.png?736}} \\ \\  
-\\ +  - Now, we run the command (//ssh root@192.168.10.1 radio toggle 1//): \\ \\ {{:pasted:20210921-152607.png?744}} \\ \\  
-\\ +  - This shows the status display after the command is run: \\ \\ {{:pasted:20210921-152637.png?761}} \\  \\ Since "radio toggle 1" is  a toggle switch, if the same command is repeated, the eth1 interface will be disabled on the primary router.
-  - This shows the status display before ([Primary router) the command is run.\\ {{:pasted:20210921-152542.png}}+
  
 \\ \\
  
-  - Command [**ssh root@192.168.10.1 radio toggle 1**] executed.\\ {{:pasted:20210921-152607.png}} + \\
- +
-\\   - Here is the status displayed after the command is run.+
  
-\\ {{:pasted:20210921-152637.png}} \\  \\  (If the same command is repeated, eth1 will be disabled on the primary router.) 
  
-\\ **Notes**+===== Passwordless Router-to-Router SSH Notes =====
  
-\\ SSH must be enabled on both routers. \\ The key generated is not preserved across a reboot of the [primary] router. Either keep a copy of the id_dropbear file offline [on a UFD or CIFS Client” sharefor restoration, or be prepared to repeat the procedure [steps 1 under “**How To**”] after a reboot [removing any redundant key from the secondary router during the process]\\ This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] [v0.76and FreshTomato v2021.5. \\ Insiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article [and this process was first documented [[https://www.linksysinfo.org/index.php?threads/%E2%80%9Cpassword-less%E2%80%9D-router-to-router-ssh-how-to.76761/|here]]].+  * The SSH daemon must be enabled on both routers. 
 +  * The key generated will be erased after a reboot of the Primary router. 
 +    * Either keep a copy of the "id_dropbearfile offline (on a flash drive, or CIFS Client sharefor restoration, or
 +    * Be prepared to repeat (steps 1. and 2.) after a rebootremoving any redundant key from the secondary router. 
 +  * This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] v0.76 and FreshTomato release 2021.5. 
 +  * Inspiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article.  
 +  * The process was first documented [[https://www.linksysinfo.org/index.php?threads/%E2%80%9Cpassword-less%E2%80%9D-router-to-router-ssh-how-to.76761/|here]].
  
  
router_to_router_ssh.1632271135.txt.gz · Last modified: 2021/09/22 01:38 by hogwild