SSH Access to OpenWRT without a Password

OpenWRT is an open source router firmware that can be installed on most consumer WiFi routers for increased security, functionality, and performance.

One way to configure OpenWRT is through a web interface.  The other, more powerful, way to configure it is through SSH.  OpenWRT comes with dropbear for SSH.  Dropbear is a optimized, reduced functionality, SSH server.  So, the typical methodology of creating public/private key pairs for authentication does not always work.  Here is what I have found to work:

  1. Assume that the OpenWRT router has an assigned IP address of 192.168.1.1
  2. In Cygwin, or in a Linux terminal, run the following commands:
    • ssh-keygen
    • ssh-copy-id -i root@192.168.1.1

The first command creates a 2048 RSA key, which is the strength recommended by NIST for RSA.  To login without a password, just choose the defaults by pressing enter at each prompt.  The second command copies the public key to the OpenWRT router.  Now, log in to the OpenWRT router with SSH:

ssh root@192.168.1.1

You will be prompted for a password.  Use the password that you set up for the OpenWRT web interface.

Once logged into the router, execute the following command:

cp /root/.ssh/authorized_keys /etc/dropbear/authorized_keys

This will copy the public key to the location expected by dropbear.  This has to be done because ssh-keygen puts the key in the directory expected by openssh, not dropbear.

Now, exit from the router:

exit

Back that the Cygwin or Linux terminal, try logging into the OpenWRT router again with SSH:

ssh root@192.168.1.1

This time, you should be able to get in without a password.

Finally, use the OpenWRT GUI (under System->Administration) to turn off SSH password authentication and disallow the root user to login with a password.  Test to verify password authentication is turned off by typing the following in Cygwin or a Linux terminal:

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no root@192.168.1.1

You should get an error that says root@192.168.1.1: Permission denied (publickey).

Two things to note:

  1. Unfortunately, OpenWRT makes it difficult to create anything but a root user.  There are ways to do so, however.  Google it.
  2. I tried generating RSA keys larger than 2048 bits.  However, they did not seem to work with dropbear.

Remote Desktop for Raspberry Pi

To access your Raspberry Pi through remote desktop, type the following commands at the Raspberry Pi terminal prompt:

sudo apt-get install tightvncserver

When installation of tightvncserver is complete, execute this command:

sudo apt-get install xrdp

When this is complete, the Pi should be running a remote desktop server.  To access the Pi on Windows, choose “Remote Desktop Connection” from the start menu.  The remote desktop client will appear and ask you for the IP address of the Pi.  My Pi is at 10.0.0.129.

Hit Connect.

A login screen will appear and ask for your username and password.  The default username for the Pi is “pi”  — and the default password is “raspberry”

Congratulations!  The Raspberry Pi’s desktop should appear.  Now, you can access the Pi from anywhere on your network and there is no need to lug around a monitor, keyboard, mouse, cables, etc.

 

Browser Add-ons — Read Terms and Conditions

I found this wonderful sounding add-on to Chrome this morning. It lets you select one or more Gmail emails to convert to PDF. Then, you can download the PDF or put it on Google Drive. I was quite excited and downloaded the add-on.
 
When I installed it, I learned that I have to create a CloudHQ account and give CloudHQ permissions to have read-only access to my emails.
 
No. Just no.
 
Always read Terms and Conditions when installing anything on your computer. The more companies that have access to your information, the more likely you will become a victim to a data breach and identity theft.
 

Avoid Reusing Passwords

Do you use the same password on multiple websites?
 
If so, it is possible that hackers can download a list of email addresses and associated passwords with your information. Are you on a list like this?
 
This is the reason that everyone should use strong passwords along with a password management program like Keepass. Keepass helps you keep track of passwords so that it is easier to use unique ones for each website.
 

Google Knows…

If you have an Android phone, Google likely has a history of most of the places that you have been over the past 10 years.  You can view that history by signing onto your Google account (via Gmail, etc.) and then going to:

https://myactivity.google.com/more-activity

Under location history, click “View Timeline.”  A map will appear with dots showing where you have been.   Based on my map, it appears that the history may only include locations within the United States and Canada.  And there are missing places.  But, the accuracy of the information displayed is quite refined.  For example, I can zoom into a location I visited on a business trip a few years ago and can tell the hotel I stayed at.  I can tell when I arrived at the hotel for the evening and when I left for the airport the next morning.

This location tracking is turned on by default on Android devices.  It can be turned off in theory.  But, it is entirely possible that Google collects and retains this information anyway.

Wi-Fi Networking Links

TL-WR802N Router

Here is the official link to the TL-WR802N router that I purchased in November 2018.  Note that this router comes with a highly insecure default configuration.  With some simple cracking tools in Kali Linux, I was able to obtain its login name and password in under one minute…

https://www.tp-link.com/us/products/details/cat-5506_TL-WR802N.html

Nevertheless, Open-WRT and DD-WRT can be installed on it to provide a more secure system.

https://openwrt.org/toh/tp-link/tl-wr802n

https://wr802n.blogspot.com/2018/04/dd-wrt-install-on-tp-link-tl-wr802n.html


Secure Your Router’s Access (OpenWRT)

How to Make an ISO Copy of Your Hard Drive on Ubuntu

Portable Apps

 

 


General Links

Lock Down Wi-Fi with Wireless Isolation

Wi-Fi Security – WEP, WPA, and WPA2 (hakin9_wifi_EN.pdf)

CVE Details – The Ultimate Security Vulnerability Database

https://tools.tracemyip.org