Disabling Password Authentication on Dropbear SSH Server in OpenWrt Running on WRT54G

I have a LinkSys WRT54G router which runs OpenWrt (version White Russian RC5). For console access to the router, I have enabled the Dropbear SSH server, which works well.

Recently, I opened up the SSH port to allow remote access to the console. To secure this as best I could, I disabled password authentication and enabled public key authentication, by following the instructions in the Dropbear Public Key Authentication Howto.

After doing disabling password authentication, I thought to myself “What if I lose my private key?” The answer is “I’m probably screwed”, because there is no serial port on the WRT54G for local access. (Actually, there are some hardware mods you can do to add a serial port but I’m not that handy or brave).

So I thought to myself “Would’t it be great if you could configure Dropbear to disallow password authentication for remote connections but allow it for local connections?”

I thought, perhaps, that Dropbear might have an option for this. Here are the command-line options for Dropbear 0.48:

• -b bannerfile = Display the contents of bannerfile before user login (default: none)
• -d dsskeyfile = Use dsskeyfile for the dss host key (default: /etc/dropbear/dropbear_dss_host_key)
• -r rsakeyfile = Use rsakeyfile for the rsa host key (default: /etc/dropbear/dropbear_rsa_host_key)
• -F = Don’t fork into background
• -E = Log to stderr rather than syslog
• -m = Don’t display the motd on login
• -w = Disallow root logins
• -s = Disable password logins
• -g = Disable password logins for root
• -j = Disable local port forwarding
• -k = Disable remote port forwarding
• -a = Allow connections to forwarded ports from any host
• -p port = Listen on specified tcp port, up to 10 can be specified (default 22 if none specified)
• -i = Start for inetd

As shown above, the -s option can be used to disallow password authentication (thereby forcing public key authentication). However, I can’t see an option that would do exactly what I wanted (i.e. disable password authentication for remote connections but still allow password authentication for local connections).

After thinking about the problem for a few minutes, I realized that I could solve the problem by starting two instances of the Dropbear daemon. The only thing you have to do is make a small change to /etc/init.d/S50dropbear.

Here is the last line from the stock version of that file in White Russian RC5:

/usr/sbin/dropbear

What we want to do is change that file so that we start a second instance of dropbear that disallows password authentication. Here is the last line, plus a new line that starts the second instance:

# failsafe for local access - port 22, pw auth allowed
/usr/sbin/dropbear

# secure for remote access - port 50022, pw auth not allowed
/usr/sbin/dropbear -s -p 50022

The line new line /usr/sbin/dropbear -s -p 50022 starts a second instance of dropbear that disallows password authentication. Note that it starts the second instance on port 50022 instead of the default port 22; you can use another unused port number instead, if you so desire.

After making those changes you will have to reboot the router.

Next, you have to allow remote access to port 50022 and disallow remote access to port 22. If you are running the WRT54G on a LAN, behind an internet-facing router, just port forward from some port on the internet-facing router to port 50022 on the WRT54G. Do NOT port forward to port 22.

If you are running WRT54G as your internet-facing router, open port 50022 on the firewall on the WAN side. Do NOT open port 22 on the WAN side (by default, it should already be open on the LAN side).

The only downside I can see with my “second instance strategy” is slightly higher memory usage. Hopefully, in later releases of OpenWrt, you’ll be able to use the web admin interface (webif) to disable/enable password authentication so that you can run just one instance of Dropbear.