Securing your ASUS router with SSH keys stored on a Yubikey
Overview
This will explain how to setup your ASUS router’s SSH access through the most secure solution currently available: using SSH keys stored on hardware keys. For this I am using the Yubikey 5 NFC family of keys - I have 2 USB-A and 1 USB-C.
The code snippets are from a generic macOS terminal screen.
My work environment
Router used - ASUS RT-AX86U
Router firmware - Asuswrt-Merlin 386.7_2
Installed software (not needed for this) - Entware, Debian. AMTM v3.3
Dropbear v2022.82
Yubikey 5 NFC, Firmware 5.4.3
My workstation - Apple M1 Pro, macOS 12.6.
Brew info:
Generating the SSH keys
We are going to generate a ed25519-sk key pair. The system automatically splits the private key and keeps one half locally (~/.ssh/ed25519_sk) and the other half on the hardware key.
Remember to chmod 400 the keys in your ~/.ssh folder.
Uploading the public key to the router
We are going to upload the public key to the router now.
- Copy your public key
- Open your router admin page and go to Administration → System → Service.Ensure the router is properly configured for SSH access and simply paste your key in. Please note you can have multiple keys, each one on a separate line.
- Apply
Connecting to the router
To connect, simply use the command below. Touch the key when requested.
WARNING - macOS by default has a ssh-agent which automatically adds authenticated keys into its volatile cache. At the time of writing this, the ssh-agent is not able to use the ed25519-sk key saved in its cache on a second authentication attempt, hence
the
option.
Still to do …
- Test the connectivity on Linux and Windows.
- Check if Apple/Google have SSH clients on their AppStores which support hardware key based SSH keys and test.
- Find a solution for the macOS ssh-agent, if possible.