Apologies first of all, I’m an absolute n00b at all this…
I have a Vera edge and D-link 4320 Taipan modem.
I get a lot of network loss and have been looking into using IP SiteSensor as a trigger to run some Lua code which sends a SSH command to my modem to reboot. (I see there are options to use devices for this, but I think this would be a more elegant solution).
I can successfully send a reboot command via SSH from Vera shell with:
ssh admin@192.168.1.1 /sbin/reboot
HOWEVER, this also requires me entering my password for the modem, which rules out a single line Lua command.
I’d prefer not having a script that allows for this password being entered due the lack of security this poses.
So ideally I’d like the SSH authorization on the Vera and Modem to be set up so the SSH command from Vera works without requiring a password.
I’ve noticed the modem uses dropbear. I’ve created a public key on my PC (mac) which presumably I can share on both Vera and the modem and I’ve tried adding the authorized_keys file into the /etc/dropbear folder on the modem.
This is where I’m currently stuck. It says I can’t create this because within the modem’s busybox shell, it is a read-only file structure.
If I try to apply ‘chmod 0600’ to the dropbear folder I get the same error.
I do notice there is a ‘dropbear_rsa_host_key’ file, so not sure if that would be helpful.
If anyone can help me out here it’d be much appreciated.
Hi Catman,
I’ve used a local terminal to SSH into the modem. I’m logged into the built-in shell of the modem which is BusyBox v1.14.1.
I can’t actually create ‘authorized_keys’ in /etc/dropbear because of the read-only thing.
Running ‘sudo chmod 0700 /etc/dropbear/authorized_keys’ yields: sudo: not found.
Running ‘chmod 0700 /etc/dropbear/authorized_keys’ yields: chmod: /etc/dropbear/" Read-only file system
Funnily enough, other folders seem to have write access. e.g. /home/. But there isn’t any point putting authorized_keys in there because dropbear doesn’t point to that location.
Thanks Catman.
This is all getting a little scarey now. If I brick my modem, I’m really gonna be annoyed, so might leave that “Step 2” and flashing as a last resort. (I had a quick look and couldn’t see OpenWRT or dd-WRT support for a D-link 4320L anyway).
So what I might do now is:
1.) Email D-link support, see if they have some tricks up their sleeve as to how I can get rsa keys input into file structure without having to flash the modem;
2.) Re-wind and try venturing down the path of a script that ‘sleeps’ to wait for password input and point to that script from single Lua command line. Not ideally secure but running out of options…
Just a point here, I don’t see much of a difference between putting the password into the script (or in a separate file the script pipes in) or using the key. Access to the Vera gets you either the key or the password (depending on which you implement), either of which the modem would accept for login, and that’s it. You log in to the Vera as root, and everything runs as root, so permissions are pretty much meaningless–you can’t meaningfully protect the password or the key. I think you’re searching for a perfection that isn’t there to be found.
Thanks Rigpapa,
I guess I just figured it would be more harmful (if access to Vera was achieved) to reveal a modem admin pwd because I assumed you could do more with that than simply allowing SSH access to said modem using keys.
But perhaps it’s just the same security-wise.
So thanks, I’m more convinced the script is the way to go now.
I have no scripting experience. Would anyone know what a script would look like that I could call from os.execute that allowed for prompt for modem ssh password to be entered?
I guess I’d also then call the reboot command in same script too.
Hi Catman,
Thanks for that. I’ve created a .sh file in /etc/cmh-ludhl (which is where I understand .sh files live in Vera).
I made it chmod 775. I used that same script above you posted.
When I run the .sh file however I get:
line 2: spawn: not found
line 3: expect: not found
line 4: send: not found
line 5: interact: not found
I’m no expert but I think with OpenWRT/BusyBox, these commands might not be available? (as they are with a regular Linux install)? I looked in /usr/bin and couldn’t see them.
So I got a response from D-link support with this: "Regarding on your concern, On the modem side there is no settings to bypass the admin password becuase that is the security for your device Regarding on the SSH, the only settings for the router on the SSH is to enable it and input a remote SSH port"
I was thinking the SSH server was running on the router and already had a key … I was suggesting if that’s the case to just use the existing key, therefore no write permission needed. Sorry , maybe my comment doesn’t apply but hey 'ya never know.
Hi Triwave,
Yes there is a dropbear folder on the router /etc/dropbear and there is a key file in there (‘dropbear_rsa_host_key).
I might be able to edit in vi or copy the key out of and use it in my home key, but not sure if that would work.
I need to look into giving that a go.