OpenSSH on R7000

From DD-WRT Wiki

Revision as of 03:43, 27 February 2014

Use cases for OpenSSH

For regular SSH/SFTP access to the router, DD-WRT's built-in dropbear SSH client and server are perfectly adequate. However, OpenSSH offers a few useful features over and above dropbear, specifically

• SOCKS5 proxy over SSH
• PPP connections over SSH
• VPN connections over SSH

Installing OpenSSH

Prerequisites

You will need to install the packages from a compatible Optware repository. OpenSSH packages are available in the imx6 repository; the latest version of OpenSSH is in magick's devel repo. Make sure that you have Optware working properly and can install packages successfully.

Client

If all you want is the client, then it is easily installed with

opkg install openssh-client

This will be sufficient to enable you to create an on-the-fly SOCKS5 proxy on the router, connected to the SSH server of your choice. You may wish to look at public key authentication, server keep alive, and the reconnect option, if you want this connection to be permanent.

Server

Installing the OpenSSH server is slightly more complicated. First, let's relocate dropbear to another port so we don't lose SSH access.

Change the dropbear port

You can change the port that dropbear listens on with:

nvram set sshd_wanport=2222
nvram set sshd_port=2222
stopservice sshd
startservice sshd

As this will disconnect your SSH connection, you can also paste these commands into the Web interface and click Run Commands, then SSH to the router on port 2222 to check that it worked. If it did, we now have port 22 free for OpenSSH.

Install and configure the OpenSSH server

opkg update
opkg install openssh-server

sshd_config

Now, edit /opt/etc/ssh/sshd_config to your requirements. Most of the defaults should be OK, but some things I changed included:

• have it use the same host keys as dropbear (in /tmp/root/.ssh)
  • dropbearconvert dropbear openssh /tmp/root/.ssh/ssh_host_rsa_key /tmp/root/.ssh/openssh_host_rsa_key
  • dropbearconvert dropbear openssh /tmp/root/.ssh/ssh_host_dss_key /tmp/root/.ssh/openssh_host_dsa_key
  • put the latter filenames in sshd_config
  • the keys are in /tmp, written from nvram, so we'll need to perform the key conversions on every startup
• turned on ClientAliveInterval 60 and ClientAliveCountMax 3
• turned on PermitTunnel
• commented out the SFTP subsystem as we haven't installed it yet
• set UsePrivilegeSeparation no, we don't have an sshd user and will run as root

start sshd manually

To start sshd, the command line we need is

LD_LIBRARY_PATH=/opt/usr/lib /opt/usr/sbin/sshd -f /opt/etc/ssh/sshd_config

which points it to the correct OpenSSL version and the desired config file. If all is well, this should return without error, your sshd process should be listening on port 22 and you should be able to gain SSH access to the router on port 22 using your normal credentials.

enable SFTP subsystem

So far, so good, but whilst this enables some new functionality, it is currently a regression as compared with dropbear, because SFTP doesn't work. Fix that with:

opkg install openssh-sftp-server

then edit sshd_config to enable the SFTP subsystem and point it to /opt/usr/lib/sftp-server - you should now find that SFTP works as well. Issue a SIGHUP to sshd to reload the config file, of course.

start sshd automatically on startup

To have the OpenSSH server run automatically on DD-WRT startup, we need to convert the dropbear keys supplied by DD-WRT, and then run the required command line. Adding

dropbearconvert dropbear openssh /tmp/root/.ssh/ssh_host_rsa_key /tmp/root/.ssh/openssh_host_rsa_key
dropbearconvert dropbear openssh /tmp/root/.ssh/ssh_host_dss_key /tmp/root/.ssh/openssh_host_dsa_key
LD_LIBRARY_PATH=/opt/usr/lib /opt/usr/sbin/sshd -f /opt/etc/ssh/sshd_config

to your DD-WRT startup commands should do the trick, and you should now have a fully functional OpenSSH server on port 22.