(Guide) Using SSH on Tomato without passwords (Win&Mac)

Discussion in 'Tomato Firmware' started by philess, Jan 26, 2013.

  1. philess

    philess Networkin' Nut Member

    This simple step-by-step guide will show new users how to securely
    connect to their TomatoUSB router using SSH and encrypted private
    key-files without having to type their password every time.

    Note: This is not a replacement to have a secure password set on
    your routers webinterface!

    If you are using a Mac, scroll further down.

    For Windows users

    Download the Putty SSH client: http://the.earth.li/~sgtatham/putty/latest/x86/putty.zip
    Extract the zip-file wherever you want (Example: C:\Program Files\Putty).

    Start Puttygen.exe and make sure it is set to SSH-2-RSA and 1024 bits.
    Click on Generate. Move your mouse pointer around a bit as it says.


    When it´s done, your public key will appear in the upper text field.
    Starting with "ssh-rsa..." select all of it and copy it to your clipboard.
    Leave Puttygen open for now!

    In TomatoUSB webinterface go to Administration, Admin Access.
    If you haven´t already, enable the SSH Daemon.
    In the Authorized Keys field, paste your public key.


    Click save.

    Back to Puttygen. Click Save private key.
    It will ask if you are sure about saving it without a passphrase.
    Select Yes, because that is the whole point of this all.
    You can save this as "Tomato.ppk" file right in your Putty folder.

    NOTE: Keep this private key secure! Do not give it to anyone!

    While you are at it, also click "Save public key" and save it too.

    You can close Puttygen now and start Putty.exe


    In the first menu (should be Session), enter the IP address of your router
    as the Host and the port number of the SSH server. (Default and 22)

    In the lower left list, go to Connection/SSH/Auth.


    Below "Private key file for authentication" select your private "Tomato.ppk" file.

    Also in the Connection menu, go to the Data sub-menu.


    Enter "root" as the Auto-login username.

    Go back up to the Session menu.
    Enter a name for this session, for example "TOMATO".


    Click save. You should see the entry appear in the list below.

    Now close Putty. Create a (desktop)-shortcut to Putty.exe.
    Rightclick on the shortcut, select Properties.
    In the Path field, append the following after Putty.exe
    -load TOMATO
    Make sure you have a space between .exe and -load.


    If your Session name contains spaces, you need to use like "-load My Tomato".
    Save the shortcut.

    Now when you start the shortcut Putty will start and automatically
    connect to the saved "TOMATO" session and use your private key
    to authorize with the SSH Server running on your router.

    Any feedback is greatly appreciated! Hope this can be useful to atleast someone.
  2. philess

    philess Networkin' Nut Member

    For Mac users

    There is a way to convert a Putty/Windows-generated public .ppk file for use
    on a Mac, but let´s just keep it simple and generate a fresh pair on your Mac.
    And maybe you are reading this because you dont have a Windows machine nearby.

    Open a terminal prompt. Enter this:

    ssh-keygen -t rsa -b 1024 -f ~/.ssh/tomato

    When asked for your passphrase, just press Enter twice (empty passphrase).

    Open a Finder window, and from the menu select "Go, Go to folder" or Shift+CMD+G.

    Enter "~/.ssh/" to open the .ssh folder in your users home directory.

    You should see two new tomato files in there now: tomato and tomato.pub

    NOTE: Keep the private "tomato" file secure! Do not give it to anyone!

    Open the .pub with TextEdit.

    Copy the contents to your clipboard (CMD+C). Go to TomatoUSB webinterface.
    Under "Administration, Admin Access, Authorized Keys" paste it (CMD+V) in the textbox.
    If it ends with username@hostname, remove that part.


    Click save.

    Back on your Mac, inside the .ssh folder. Most likely there is no "config" file in there.
    Create a new one for example from TextEdit (Menu, New file).

    Put the following in it:

      IdentityFile ~/.ssh/tomato
      User root

    Replace the IP address with whatever IP address your TomatoUSB router has.
    If using TextEdit, in the menu select Format, Make Plain Text.
    Then save it as "config" in the ~/.ssh/ folder. Close TextEdit.

    That is all. In Terminal, type "ssh" and it should connect
    to your router using the ssh-file and automatically login as user root.

    Note: This is working fine on Mac OS X Mountain Lion right now.
    Users of older versions of OS X might need to do "chmod 400 ~/.ssh/tomato".

    Extra note: If you want to access your Tomato from Windows & Mac clients,
    you can paste multiple keys in the webinterface.

  3. philess

    philess Networkin' Nut Member

    If you have to transfer files from your computer to the router all the time,
    you can use the same bascis and SFTP.

    "ipkg install openssh-sftp-server" (assuming you have Optware installed)

    Thats all. Now you can chose a SFTP client. Some examples:
    • WinSCP (free, very popular)
    • VanDyke SecureFX (commercial, free trial available)
    and then set it up the same same way, using the private key file previously created
    and connect to your router´s IP address using SFTP as user "root".
    Now you can safely transfer files from and to the router without having to enable
    the builtin FTP server with user accounts, permissions and such.
  4. koitsu

    koitsu Network Guru Member

    I'd like to know why you didn't generate a key that used a password, and then instead used an SSH agent (referring to things like Pageant for Windows)? This is usually how people do "passwordless logins" -- your private key has a password, but you only enter the password once (when the agent launches, such as when you log in to Windows). The rest of the configuration, server-side (router-side), is identical.

    With what you have now, if someone gets access to your private key -- and this happens more often than you'd think, mainly because computers get compromised (trojans, malware, backdoors, etc. where the attacker offloads any files of interest) -- then they can potentially log in to your router (possibly using your PC remotely to set up a backdoor on the router itself). 98% of people using these firmwares do not check on their router to see if other people are logged in/using it.

    My point: using keys for authentication is good, but using password-protected keys is even better -- but you can use a passworded key without having to enter the password every time you SSH in to a device that uses that (public) key for authentication. That's what an agent is for.
  5. Mangix

    Mangix Networkin' Nut Member

    I like the choice of RSA(less overhead for the router) but why 1024 bits? sure it's faster but it's also less secure.
  6. philess

    philess Networkin' Nut Member

    Very good point koitsu. Thank you for the input. I was just reading up on Pageant, it was new to me.
    Of course it is a risk to use a key file without a passphrase, and that is why i explicitely state that
    the user should take great care of the private key file.
    I will add a part to the guide about using Pageant tho.

    @Mangix Yes, 2048 should work just fine too, depending the the CPU of the router i guess.
    I would assume most stuff is done LAN->SSH->Tomato so i figure 1024 is enough,
    sure someone who has the WAN SSH enabled and uses it for that can increase to 2048.
    Good point! Thanks for the input!

    Updates to the guide:

    In the steps above when creating the key you can either select the default
    1024 bit length or beef it up for more security to 2048, but be aware that
    authenticating (logging in) can take a bit longer then.
    Thanks to Mangix for pointing this out!

    As koitsu has pointed out, it is a security risk to use key files without a passphrase.
    Everyone who gets access to your key file will then have access to your SSH server!
    It is important that you are aware of this risk and weigh it against the comfort of
    just doubleclicking a shortcut and not having to type in a password.

    There is sort of a middleground tho: SSH agents.
    What those tiny programs in the background basically do is sit there
    and hold your key file in the memory, already decrypted ready to use.
    You have to enter your passphrase once tho, when starting the agent.
    Then you can work all day long, logging in and out of the SSH server,
    and the agent does the "typing the passphrase" in the background.

    In order to use a passphrase instead of an empty pass, follow the guide
    above and just supply a password in the steps creating the key file.
    Proceed then as described.

    One of those agents for example is Pageant and it is included with Putty in the zip file.
    Just start Pageant.exe, click Add Key, select your private key and then enter your passphrase.
    Then you can use Putty as usual while the agent does the authenticating for you.

    Similar procedure with VanDyke SecureCRT and SecureFX:
    In one of the programs under Global Options, SSH2, select these settings:
    Add keys to agent & Enable OpenSSH agent forwarding
    And in the Global/General options, enable Minimize to Activator in tray.
    Connect to your SSH server once, enter the passphrase, and it will be stored in the memory.
    Now you can also launch SecureFX for SFTP transfers, and it will use the agent too.

    Now, if you still prefer to be lazy and just use a empty passphrase, that is up to you.
    As usual, it is comfort vs. security.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice