How to setup TomatoUSB with non-root ssh access

1. First, you need to have a working TomatoUSB instance. Following the instruction here if you have an ASUS RT-N16 router.
2. Now, assuming you have installed and setup the router already. Go to Administration > Admin Access to enable SSH Daemon. Depending on your needs, you may want to enable/disable different options. In my case, I had checked Enable at Startup and Remote Forwarding. I didn't need Remote Access because my instance is behind another router. I disabled Allow Password Login and use Authorized Keys for authentication. Test your setup by trying to ssh into the router. I also disabled the Telnet Daemon to tighten up the security.
3. Install optware and you can find a very good instruction here.
4. Install coreutils
• ipkg install coreutils.
5. Create a new user in tmp memory. The following instructions are based on the tutorial here.
• Edit the following files in /tmp/etc. They're standard unix files so google it to find out the syntax.
• passwd
• group
• shadow
• Create a user home directory in /tmp/home
• Create a ".ssh" folder under /tmp/home/.
• You can create a new authorized_keys file or simple copy it from root user.
6. Test the user creation.
• Try login  and enter the password to make sure the user is working correctly.
• Go to another box and try to ssh into the router using the new user.
7. If everything works, save the changes to NVRAM.
• The new entries you added to the passwd, group and shadow files. Move them into .custom files. For example, the entry in passwd file should be move to passwd.custom file.
• Execute the following commands to persist the changes
• nvram setfile2nvram /etc/passwd.custom
• nvram setfile2nvram /etc/group.custom
• nvram setfile2nvram /etc/shadow.custom
• nvram setfile2nvram /home//.ssh/authorized_keys
• nvram commit
8. Create a script to fix the owner and permission of the user home directory.
• Since chown doesn't come with the standard install but from optware. We need to add the script to /opt/.autorun file.
• Put the following command into /opt/.autorun file
• chown -R . /home/
• chmod -R 700 /home/
• Make sure .autorun is executable.
• chmod u+x .autorun
9. Reboot the router.
10. Now, you should be able to ssh to the router with a non-root user.
11. The final step is to disable ssh access for root user. Go back to web admin interface - Administration > Admin Access and clear the Authorized Keys field.