Friday, August 12, 2011

How to setup TomatoUSB with non-root ssh access

  1. First, you need to have a working TomatoUSB instance. Following the instruction here if you have an ASUS RT-N16 router.
  2. Now, assuming you have installed and setup the router already. Go to Administration > Admin Access to enable SSH Daemon. Depending on your needs, you may want to enable/disable different options. In my case, I had checked Enable at Startup and Remote Forwarding. I didn't need Remote Access because my instance is behind another router. I disabled Allow Password Login and use Authorized Keys for authentication. Test your setup by trying to ssh into the router. I also disabled the Telnet Daemon to tighten up the security.
  3. Install optware and you can find a very good instruction here.
  4. Install coreutils
    • ipkg install coreutils.
    • Create a new user in tmp memory. The following instructions are based on the tutorial here.
      • Edit the following files in /tmp/etc. They're standard unix files so google it to find out the syntax.
        • passwd
        • group
        • shadow
      • Create a user home directory in /tmp/home
        • Create a ".ssh" folder under /tmp/home/.
        • You can create a new authorized_keys file or simple copy it from root user.
    • Test the user creation.
      • Try login  and enter the password to make sure the user is working correctly.
      • Go to another box and try to ssh into the router using the new user.
    • If everything works, save the changes to NVRAM.
      • The new entries you added to the passwd, group and shadow files. Move them into .custom files. For example, the entry in passwd file should be move to passwd.custom file.
      • Execute the following commands to persist the changes
        • nvram setfile2nvram /etc/passwd.custom
        • nvram setfile2nvram /etc/group.custom
        • nvram setfile2nvram /etc/shadow.custom
        • nvram setfile2nvram /home//.ssh/authorized_keys
        • nvram commit
    • Create a script to fix the owner and permission of the user home directory.
      • Since chown doesn't come with the standard install but from optware. We need to add the script to /opt/.autorun file.
      • Put the following command into /opt/.autorun file
        • chown -R . /home/
        • chmod -R 700 /home/
      • Make sure .autorun is executable.
        • chmod u+x .autorun
    • Reboot the router.
    • Now, you should be able to ssh to the router with a non-root user.
    • The final step is to disable ssh access for root user. Go back to web admin interface - Administration > Admin Access and clear the Authorized Keys field.