- First, you need to have a working TomatoUSB instance. Following the instruction here if you have an ASUS RT-N16 router.
- Now, assuming you have installed and setup the router already. Go to Administration > Admin Access to enable SSH Daemon. Depending on your needs, you may want to enable/disable different options. In my case, I had checked Enable at Startup and Remote Forwarding. I didn't need Remote Access because my instance is behind another router. I disabled Allow Password Login and use Authorized Keys for authentication. Test your setup by trying to ssh into the router. I also disabled the Telnet Daemon to tighten up the security.
- Install optware and you can find a very good instruction here.
- Install coreutils
- ipkg install coreutils.
- Create a new user in tmp memory. The following instructions are based on the tutorial here.
- Edit the following files in /tmp/etc. They're standard unix files so google it to find out the syntax.
- passwd
- group
- shadow
- Create a user home directory in /tmp/home
- Create a ".ssh" folder under /tmp/home/
. - You can create a new authorized_keys file or simple copy it from root user.
- Test the user creation.
- Try login
and enter the password to make sure the user is working correctly. - Go to another box and try to ssh into the router using the new user.
- If everything works, save the changes to NVRAM.
- The new entries you added to the passwd, group and shadow files. Move them into .custom files. For example, the entry in passwd file should be move to passwd.custom file.
- Execute the following commands to persist the changes
- nvram setfile2nvram /etc/passwd.custom
- nvram setfile2nvram /etc/group.custom
- nvram setfile2nvram /etc/shadow.custom
- nvram setfile2nvram /home/
/.ssh/authorized_keys - nvram commit
- Create a script to fix the owner and permission of the user home directory.
- Since chown doesn't come with the standard install but from optware. We need to add the script to /opt/.autorun file.
- Put the following command into /opt/.autorun file
- chown -R
. /home/ - chmod -R 700 /home/
- Make sure .autorun is executable.
- chmod u+x .autorun
- Reboot the router.
- Now, you should be able to ssh to the router with a non-root user.
- The final step is to disable ssh access for root user. Go back to web admin interface - Administration > Admin Access and clear the Authorized Keys field.
Friday, August 12, 2011
How to setup TomatoUSB with non-root ssh access
Subscribe to:
Posts (Atom)