1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Enabling SSH access via the router's button

Discussion in 'Tomato Firmware' started by menses, Aug 29, 2009.

  1. menses

    menses Addicted to LI Member

    This week I installed Tomato 1.25 ND on my friends router, and so far it's running smoothly :D
    However in case some problems occur or the router just needs some tweaking I would like to be able to configure it remotely instead of dragging my ass next to the router. :)

    So I was thinking a fairly secure way to manage this would be to do it via SSH. But I don't want to keep sshd open all the time, so it would be nice to enable it via the button on the router (SES/AOSS?) see: http://lampiweb.com/virtual/Tomato_RAF/admin-buttons.html
    Since now I don't have access to the router, I'm just trying to prepare and make sure what to do when I get to my friends place next week.
    Is this custom script correct if I want to enable SSH after pressing the button for at least 5 seconds?
    [ $1 -ge 5 ] && sshd
    And what other options should I tweak to enable SSH access in a secure way? Btw, does dropbear support tunneling out of the box?
  2. fyellin

    fyellin LI Guru Member

    ssh is considered pretty secure when used properly. Either use a really good pass-phrase, or better yet, public key encryption. Maybe move it to a port other than 22 to thwart the kiddies running scripts.

    I seriously don't think there's any danger in just leaving sshd running fulltime.

    In any case, the ssh daemon running on tomato is "dropbear". ps reports that it's being called with the arguments "dropbear -p <port> -s -a"
  3. menses

    menses Addicted to LI Member


    I still don't want to keep sshd running when not needed... I think it's a polite way to let my friend decide (push the button) to give access to my ssh connection :)

    [ $1 -ge 5 ] && dropbear -p 6666 -s -a
    would, after five seconds, open ssh server on port 6666 with public key authorization only and tunneling enabled (-a?)

    Do I have to change other configurations?
  4. rhester72

    rhester72 Network Guru Member

    Another possible solution is something like knockd which doesn't require any physical intervention at all. Do a forum search for details.

  5. menses

    menses Addicted to LI Member

    knockd seems very interesting... especially for paranoids like me :)

    And just wanted to update this thread by saying that a better way to to launch dropbear with the button script is:
    [ $1 -ge 5 ] && service sshd start
    Starting dropbear directly with 'dropbear -p 6666 -s -a' omits the creation of hostkeys, which makes dropbear unaccessible...

Share This Page