Technical data
4. Packages
4.19. SSHD - Secure Shell, Secure Copy
A secure shell enables you to open an encrypted connection with the fli4l router. By using
secure copy files can be transmitted encrypted to the fli4l router. If in addition Public Key
Login (Page 221) is used commands and file transfers can be executed driven by scripts from
“outside”. As of version 2.1.7 only a SSH2 server is existing.
4.19.1. Installation Of The Secure-Shell-Daemon
OPT_SSHD Default setting: OPT_SSHD=’no’
If the router should be accessible via ssh set OPT_SSHD to ’yes’. This will install the ssh
server Dropbear on the fli4l router. It will also enable copying of files to the router.
SSHD_ALLOWPASSWORDLOGIN Default setting: SSHD_ALLOWPASSWORDLOGIN=’yes’
If SSHD_ALLOWPASSWORDLOGIN is set to ’no’ fli4l won’t allow ssh login via password anymore.
Login can only be done via private/public key. This assumes that a public key (Page 221)
is present on the router.
SSHD_CREATEHOSTKEYS Default setting: SSHD_CREATEHOSTKEYS=’no’
A ssh server needs a so-called host key that is unique to identify itself to a ssh client. The
package SSHD provides a host key to allow a first login to the router but this key should
be replaced with a self-generated one only known to you as fast as possible. Generating
your own host key is the only way to be prepared against so called man-in-the-middle
attacks and thus is very important. SSH will notice if someone pretends to be your fli4l
router because his host key will differ and will warn you about the host key changing.
Generating your own host key will be done automatically if SSHD_CREATEHOSTKEYS is set
to ’yes’. This is a challenging task and can prolong boot time for several minutes. If
the fli4l router starts with SSHD_CREATEHOSTKEYS activated one (or more) host key(s) will
be created in the directory /tmp/ssh. Keyfiles found there have to be copied over to your
fli4l build directory under etc/ssh (on the PC where fli4l’s boot medium is created). In
my case a directory listing of config.babel looks like this:
Please note that under the directory config.babel a subdirectory etc exists with another
subdirectory ssh. Generated host keys have to be placed there. As of fli4l version 2.1.5
files in your config directory will be preferred over the ones from the opt directory.
With the next update of your fli4l boot medium the files from config/etc/ssh will be
integrated and not those in opt/etc/ssh. In this way every fli4l router you configure can
have its own unique host key. When creating the fli4l files there will appear a message
„appending config specific files to opt.img ...“ towards the end. All files coming from the
config directory instead of opt will be listed there.
#
# appending config specific files to opt.img ...
#
etc/ssh/dropbear_dss_host_key
etc/ssh/dropbear_rsa_host_key
219