FreshTomato Wiki

User Tools

Site Tools

Trace:
router_to_router_ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
router_to_router_ssh [2023/05/23 15:26] hogwildrouter_to_router_ssh [2023/05/24 02:08] (current) – [Notes] -changed subhead to "Passwordless Router-to-Router SSH Notes" hogwild
Line 3: Line 3:
 ===== Overview ===== ===== Overview =====
  
-This setup allows a primary router, (the "SSH Client") to control a secondary router (the "SSH Host"), from the command-line, via an encrypted connection.+This setup allows a primary router, (the "SSH Client") to control a secondary router (the "SSH Host"), from the command-line, through an encrypted (tunnel) connection.
  
-FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate an encryption KeyPair that offers password-less connections. A command is run on the primary router which generates a public key.  That Public Key must then be entered into the secondary router’s //Authorized Keys //field, in the SSH Daemon section of the [[:admin_access|Admin Access]] menu.\\  \\ This can be useful, for example:+FreshTomato includes [[https://matt.ucc.asn.au/dropbear/dropbear.html|Dropbear]], an SSH client/server program. Dropbear can generate an encryption KeyPair that offers passwordless connections. A command is run on the primary router which generates a public key.  That Public Key must then be entered into the secondary router’s //Authorized Keys //field, in the SSH Daemon section of the [[:admin_access|Admin Access]] menu.\\  \\ This can be useful, for example:
  
-  * When the the secondary router system does not maintain its system clock, and time-sensitive jobs must be scheduled. +  * When the the secondary router system doesn'maintain system clock, and time-sensitive jobs must be scheduled. 
-  * For running scripts on the secondary router for any supported command.+  * For running scripts on the secondary router using any supported commands. 
 +  * As seen below, for switching wireless radio(s) on or off on a schedule (not shown).
  
- As seen below, for switching wireless radio(s) on or off to schedule (not shown).+=====  Setting up/Establishing Tunnel =====
  
-  - On the primary router (the one issuing SSH commands) type the command: \\ **dropbearkey -t rsa -f ~/.ssh/id_dropbear** command to generate the KeyPair. \\ This will display result similar to that shown below. Leave this window open. \\ You will need it for step 2.+Follow these steps to generate a Keypair and establish an SSH tunnel:
  
-\\ {{:pasted:20210921-152323.png}}+  - On the primary router (the one issuing SSH commands) generate a Keypair by typing the command: \\ "dropbearkey -t rsa -f ~/.ssh/id_dropbear" \\ \\ This will display a result similar to that shown below. Leave this window open, as you'll need it for step 2. \\ \\ {{:pasted:20210921-152323.png?744}} \\ \\  
 +  - Copy the Public key portion from the primary router and paste it into the “Authorized Keys” field in secondary router: \\ \\ {{:pasted:20210921-152415.png?739}} \\ \\  
 +  - In the above screenshot, a pre-existing, unrelated key was redacted. \\ \\  
 +  - Now, connect to the secondary router via an SSH session (running on the primary router).  \\ The example below uses the //nvram// command to display the hostname. \\ The first command string ("ssh root@192.168.10.1 nvram get lan_hostname")** **executes the command on the secondary router and then it [nvram get lan_hostname] is executed locally, on the primary router. \\ \\ \\ {{:pasted:20210921-152503.png?741}}
  
-\\  \\+ \\
  
-  - Copy and paste the Public key portion from the primary router \\ to the secondary router’s “Authorized Keys” field, as seen below:+ \\
  
-\\ {{:pasted:20210921-152415.png}} 
  
-Note that a pre-existing, and unrelated key is redacted above.  \\  \\  \\+===== Usage Example =====
  
-  - Now, connect to the secondary router from within an SSH session (running on the primary router). The example below uses the **nvram** command to display the host nameThe first command string (**ssh root@192.168.10.1 nvram get lan_hostname) **executes the command on the secondary router and then it [nvram get lan_hostname] is executed locally, on the primary router.+This example will enable/disable the eth1 5Ghz WiFi interface on the secondary router. (Temperature is shown only when the interface is enabled) \\  \\
  
-\\ {{:pasted:20210921-152503.png}} +  - This screenshot shows the status display of the Primary router before before the command is run: \\ \\ {{:pasted:20210921-152542.png?736}} \\ \\  
- +  Now, we run the command (//ssh root@192.168.10.1 radio toggle 1//): \\ \\ {{:pasted:20210921-152607.png?744}} \\ \\  
-==== Example ==== +  - This shows the status display after the command is run: \\ \\ {{:pasted:20210921-152637.png?761}} \\  \\ Since "radio toggle 1" is  a toggle switch, if the same command is repeated, the eth1 interface will be disabled on the primary router.
- +
-This example will enable/disable the eth1 5Ghz Wi-Fi interface on the secondary router. (Temperature is shown only when the interface is on).  \\  \\ +
- +
-  - This shows the status display before ([Primary router) the command is run:\\ {{:pasted:20210921-152542.png}}+
  
 \\ \\
  
-  - Here, the command (**ssh root@192.168.10.1 radio toggle 1**) executed:\\ {{:pasted:20210921-152607.png}} + \\
- +
-  - And here is the status display after the command is run.+
  
-{{:pasted:20210921-152637.png}} \\  \\ If the same command is repeated, the eth1 interface will be disabled on the primary router. 
  
-===== Notes =====+===== Passwordless Router-to-Router SSH Notes =====
  
-  * SSH must be enabled on both routers. +  * The SSH daemon must be enabled on both routers. 
-  * The key generated will be erased after a reboot of the primary router. Either keep a copy of the "id_dropbear" file offline (on a flash drive, or CIFS Client share) for restoration, or be prepared to repeat the procedure (HOWTO steps 1 and 2) after a reboot, removing any redundant key from the secondary router during the process.+  * The key generated will be erased after a reboot of the Primary router. 
 +    * Either keep a copy of the "id_dropbear" file offline (on a flash drive, or CIFS Client share) for restoration, or
 +    * Be prepared to repeat (steps 1and 2.) after a reboot, removing any redundant key from the secondary router.
   * This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] v0.76 and FreshTomato release 2021.5.   * This guide was produced using [[https://www.chiark.greenend.org.uk/~sgtatham/putty/|PuTTY]] v0.76 and FreshTomato release 2021.5.
   * Inspiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article.    * Inspiration was provided by [[https://blog.michael.franzl.name/2017/09/03/set-passwordless-ssh-login-dropbear-client/|this]] article. 
router_to_router_ssh.1684851981.txt.gz · Last modified: 2023/05/23 15:26 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki