This tutorial will walk you through the steps needed to get root
SSH
access on an Engenius EAP600 dual-band WiFi access point. SSH doesn't
come enabled out of the box on these things, so if you want to SSH into the
device (which is running an old version of OpenWRT), keep reading.
This document assumes the following:
- You are familiar with SSH
publickey
authentication (authorized_keys
, etc.) - You are familiar with the unix command line.
- You have the admin credentials for the EAP600 in question.
- You have firmware version 1.6.37 installed on the EAP600. This procedure may work on earlier or later versions, but you may run into trouble.
First, log into the web interface on the EAP600. Then click on the "CLI Settings" link from the "Management" section of the left-hand navigation bar. Click on the radio button for "On" and then press the "Save/Apply" button. If it is already "On", skip this step.
Telnet into the device and login with your web credentials. After you
do this successfully, you will see a menu and a eap600>
prompt:
*** Hi admin, welcome to use cli(V-1.8.10) ***
---========= Commands Help =========---
stat -- Status
sys -- System
wless2 -- 2.4G-Wireless
wless5 -- 5G-Wireless
mgmt -- Management
tree -- Tree
help -- Help
reboot -- Reboot
logout -- Logout
eap600>
Instead of typing in any of the commands from the menu, type in the
magic command 1d68d24ea0d9bb6e19949676058f1b93
and press enter. You
should then be at a root shell:
eap600>1d68d24ea0d9bb6e19949676058f1b93
BusyBox v1.19.4 (2015-10-01 07:56:17 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r20146) ------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
---------------------------------------------------
root@EAP600:/#
Before we can enable dropbear (the SSH server that is included in the EAP600 firmware), we need to generate our host keys. You can do that by copying and pasting the following lines into the root shell and pressing enter:
[ -s /etc/dropbear/dropbear_rsa_host_key ] || \
{ rm -f /etc/dropbear/dropbear_rsa_host_key ; \
dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key ; } ; \
[ -s /etc/dropbear/dropbear_dss_host_key ] || \
{ rm -f /etc/dropbear/dropbear_dss_host_key ; \
dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key ; }
Dropbear expects the authorized_keys
file to be in
/etc/dropbear/authorized_keys
. You can either edit this file with
vi
or you can do the following steps:
- Type in the command
cat > /etc/dropbear/authorized_keys <<EOF
- Copy the contents of your
id_rsa.pub
orauthorized_keys
file to your clipboard. - Paste the contents of your clipboard into the terminal.
- Press enter, type
EOF
, and press enter again. At this point you should be back at the root shell prompt.
Then you should make sure that the permissions are set properly on
everything in /etc/dropbear
with the following command line:
chmod 600 /etc/dropbear/* ; chmod 700 /etc/dropbear
Enabling the dropbear service, so that it will start automatically after every boot, is as easy as typing in the following command:
/etc/init.d/dropbear enable
/etc/init.d/dropbear start
At this point we should reboot so that we can verify that everything
is working as expected. This can take a minute or two. Just start
pinging the device until it starts responding, then wait another
minute or two for dropbear to get started. To reboot, just type
reboot
into the command line and press enter.
After waiting a while, you should be able to ssh into your EAP-600 as
root
:
ssh root@<WAP-IP-ADDRESS>
You should now be greeted with a root prompt. w00t!
Now that you've got SSH up and running, lets take a few moments to make sure that we lock down the security of the device.
It turns out that the EAP-600 runs a really old version of OpenWRT.
Because of that, we can use the uci
command to turn off password
authentication for dropbear:
uci set dropbear.@dropbear[0].PasswordAuth=off
uci commit
/etc/init.d/dropbear restart
After doing this, it is a good idea to verify that it is indeed
working as expected. We can do this pretty easily by trying to log
into the device using the admin
account---which by default has the
password 1234
.
To check that password authentication is indeed disabled, you simply
log out of the root shell and then try to logging back into the device
as the user admin
:
ssh -o "PubkeyAuthentication no" admin@<WAP-IP-ADDRESS>
You shouldn't even get a password prompt, it should just say Permission denied (publickey).
.
If you do get a password prompt, type in 1234
and press enter. If it successfully
logs you in as the user admin
, then something has gone horribly
wrong.
The SSID-VLAN isolation feature of the EAP-600 has a really bad bug: it doesn't turn off IPv6 (or even SLAAC!) on the individual bridge interfaces. This makes it impossible to prevent users from gaining access to the management web interface using the IPv6 link-local address of the access point.
The easiest, safest, and least fragile way to fix this quickly is simply to disable IPv6 entirely. This kinda sucks, but in practice it is not really that big of a deal---IPv6 still works for hosts, you just have to use IPv4 to access the configuration page or to SSH into the access point if you need to reconfigure it.
To disable IPv6, we once again use the uci
command, followed by a
reboot:
uci set system.system.ipv6=0
uci commit
reboot
Wait for the AP to come back online and then proceed below to disabling telnet.
Now that we've got our dropbear
daemon set up and tested, we can
turn off telnet
since we won't be needing it anymore.
/etc/init.d/telnet stop
/etc/init.d/telnet disable
For some reason, the software on the EAP-600 always runs dnsmasq
.
This is entirely inappropriate for a wireless access point, which
should be just a bridge. You can easily disable it by typing in the
following commands:
/etc/init.d/dnsmasq stop
/etc/init.d/dnsmasq disable