SSH Configuration

The ssh configuration is handled by the dropbear subsystem of uci and the configuration file is located in /etc/config/dropbear.
If the subsystem name wasn't obvious enough, the default daemon responsible of the SSH service in LEDE is dropbear.
Each dropbear SSH server instance uses a single section of the configuration file, and you can have multiple instances.

Default configuration

root@lede:~# uci show dropbear
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].RootPasswordAuth='on'
dropbear.@dropbear[0].PasswordAuth='on'
dropbear.@dropbear[0].Port='22'
root@lede:~# cat /etc/config/dropbear
config dropbear
        option RootPasswordAuth 'on'
	option PasswordAuth 'on'
	option Port '22'
	option Interface 'lan'

A single instance of dropbear.

Available settings

Name Type RequiredDefault Description
enable booleanno 1 Set to 0 to disable starting dropbear at system boot.
verbose booleanno 0 Set to 1 to enable verbose output by the start script.
BannerFile string no (none)Name of a file to be printed before the user has authenticated successfully.
PasswordAuth booleanno 1 Set to 0 to disable authenticating with passwords.
Port integerno 22 Port number to listen on.
RootPasswordAuthbooleanno 1 Set to 0 to disable authenticating as root with passwords.
RootLogin booleanno 1 Set to 0 to disable SSH logins as root.
GatewayPorts booleanno 0 Set to 1 to allow remote hosts to connect to forwarded ports.
Interface string no (none)Tells dropbear to listen only on the specified interface.e.g. lan
rsakeyfile file no (none)Path to RSA file
dsskeyfile file no (none)Path to DSS/DSA file
SSHKeepAlive integerno 300 Keep Alive
IdleTimeout integerno 0 Idle Timeout
mdns integerno 1 Whether to annouce the service via mDNS
MaxAuthTries integerno 3 Amount of times you can retry writing the password when logging in before the SSH server closes the connection from this commit

Multiple dropbear instances

To add a second instance of dropbear you must add another section to the dropbear subsystem configuration, you should end with something like this

root@lede:~# uci show dropbear
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].RootPasswordAuth='on'
dropbear.@dropbear[0].PasswordAuth='on'
dropbear.@dropbear[0].Port='22'
dropbear.@dropbear[0].Interface='lan'
dropbear.@dropbear[1]=dropbear
dropbear.@dropbear[1].RootPasswordAuth='on'
dropbear.@dropbear[1].PasswordAuth='on'
dropbear.@dropbear[1].Port='2022'
dropbear.@dropbear[1].Interface='wan'
root@lede:~# cat /etc/config/dropbear
config dropbear
        option RootPasswordAuth 'on'
	option PasswordAuth 'on'
	option Port '22'
	option Interface 'lan'

config dropbear
        option RootPasswordAuth 'on'
	option PasswordAuth 'on'
	option Interface 'wan'
	option Port '2022'

The example above shows two dropbear instances:

  • The first instance will listen on port 22 on the lan interface (default internal network)
  • The second one on port 2022 on the wan interface (default external network)

Also make sure to check your firewall DNAT (port forward) to allow access to the wan side port, 2022 in this case.

SCP functionality

dropbear alone does not provide any SCP functionality (SSH-based file transfer to/from your device), please install openssh-sftp-server if you want to use SCP.

Security considerations

Security considerations are beyond the scope of this document, but:

  • You should never allow SSH access on the WAN area. Please use a VPN instead to access your router.
  • Avoid connecting using passwords and use SSH keys mechanisms.

To disable password authentication:

root@OpenWrt:~# uci set dropbear.@dropbear[0].PasswordAuth=of
root@OpenWrt:~# uci commit dropbear

Then install your public SSH key in:

/etc/dropbear/authorized_keys