The SSH configuration is handled by the Dropbear subsystem of uci and the configuration file is located in /etc/config/dropbear.
Each dropbear SSH server instance uses a single section of the configuration file, and you can have multiple instances.
The dropbear configuration contains settings for the dropbear SSH server in a single section.
The dropbear section contains these settings. Names are case-sensitive.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
enable | boolean | no | 1 | Set to 0 to disable starting dropbear at system boot. |
verbose | boolean | no | 0 | Set to 1 to enable verbose output by the start script. |
BannerFile | string | no | (none) | Name of a file to be printed before the user has authenticated successfully. |
PasswordAuth | boolean | no | 1 | Set to 0 to disable authenticating with passwords. |
Port | integer | no | 22 | Port number to listen on. |
RootPasswordAuth | boolean | no | 1 | Set to 0 to disable authenticating as root with passwords. |
RootLogin | boolean | no | 1 | Set to 0 to disable SSH logins as root. |
GatewayPorts | boolean | no | 0 | Set to 1 to allow remote hosts to connect to forwarded ports. |
Interface | string | no | (none) | Write an interface name, for example lan. With this setting you can limit connections to clients that can reach the IP of this interface. So for example the LAN IP of the interface can only be seen from clients in the LAN network, but not from the WAN in the default firewall configuration. It's used in dropbear's -p option that does the following: “Listen on specified address and TCP port. If just a port is given listen on all addresses. up to 10 can be specified (default 22 if none specified). ” |
keyfile | list of files | no | (none) | Path to host key file. |
rsakeyfile | file | no | (none) | Path to RSA host key file. Deprecated. See keyfile. |
SSHKeepAlive | integer | no | 300 | Ensure that traffic is transmitted at a certain interval in seconds. This is useful for working around firewalls or routers that drop connections after a certain period of inactivity. The trade-off is that a session may be closed if there is a temporary lapse of network connectivity. A setting of 0 disables keepalives. If no response is received for 3 consecutive keepalives the connection will be closed. Equivalent of OpenSSH ClientAliveInterval |
IdleTimeout | integer | no | 0 | Disconnect the session if no traffic is transmitted or received for IdleTimeout seconds even after the SSHKeepAlive keep alive pings. Equivalent of OpenSSH ClientAliveInterval multiplied on ClientAliveCountMax |
mdns | integer | no | 1 | Whether to announce the service via mDNS |
MaxAuthTries | integer | no | 3 | Amount of times you can retry writing the password when logging in before the SSH server closes the connection. |
RecvWindowSize | integer | no | 24576 | Specify the per-channel receive window buffer size. Increasing this may improve network performance at the expense of memory use. |
This is the default configuration:
# uci show dropbear dropbear.@dropbear[0]=dropbear dropbear.@dropbear[0].RootPasswordAuth='1' dropbear.@dropbear[0].PasswordAuth='1' dropbear.@dropbear[0].Port='22'
Add a second instance of dropbear listening on port 2022.
uci add dropbear dropbear uci set dropbear.@dropbear[-1].RootPasswordAuth='1' uci set dropbear.@dropbear[-1].PasswordAuth='0' uci set dropbear.@dropbear[-1].Port="2022" uci commit dropbear service dropbear restart
If you want to connect from internet you need to allow the 2022 port on WAN interface.
Dropbear does not support SFTP by itself.
Meanwhile OpenSSH client uses SFTP by default.
Use scp -O for the legacy SCP protocol if necessary.
If you do have enough space you can install the SFTP server:
opkg update opkg install openssh-sftp-server
Problems facing with a public SSH: