SSH RSA Key Authentication

SSH key authentication replaces password-based login with a cryptographic key pair — a private key held by the engineer and a public key registered on the router. It is significantly more secure than passwords and eliminates exposure to brute-force attacks. This article covers generating a key pair, adding the public key to the router, disabling password authentication, and securing SSH access when the router is reachable over a public IP.

Navigation

System > Certificates > SSH

How it works

When you connect, the router challenges your SSH client to prove possession of the private key. Your client signs the challenge with the private key; the router verifies the signature against the stored public key. The private key never leaves your machine. If the public key is removed from the router, that key pair loses access immediately.

Step 1 — Generate a key pair

Generate the key pair on your workstation, not on the router. The private key must remain on the machine you will connect from.

Linux and macOS

Open a terminal and run:

ssh-keygen -t ed25519 -C "your-name@hostname"

When prompted:

• File location — press Enter to accept the default (~/.ssh/id_ed25519), or enter a custom path if you manage multiple keys
• Passphrase — strongly recommended. The passphrase encrypts the private key file on disk; if the file is ever stolen it cannot be used without it

This produces two files:

If you need compatibility with older systems that do not support Ed25519, use RSA instead:

ssh-keygen -t rsa -b 4096 -C "your-name@hostname"

Windows

Windows 10 and 11 (OpenSSH — recommended): Open PowerShell or Windows Terminal and run the same command as Linux:

ssh-keygen -t ed25519 -C "your-name@hostname"

Keys are saved to C:\Users\YourName\.ssh\. Connect with the built-in ssh command in PowerShell or Windows Terminal.

PuTTY users:

1. Open PuTTYgen
2. Select EdDSA (or RSA 4096) and click Generate
3. Add a passphrase in the Key passphrase fields
4. Copy the public key text from the "Public key for pasting into OpenSSH authorized_keys" box at the top of PuTTYgen — this is what you paste into the router
5. Click Save private key to save the .ppk file

Note: Do not use the PuTTYgen "Save public key" button for the router — the file format it produces is not compatible. Always copy from the text box at the top of the PuTTYgen window.

Step 2 — Add the public key to the router

Navigate to System > Certificates > SSH.

1. Open the public key file in a text editor:
   • Linux/macOS: cat ~/.ssh/id_ed25519.pub
   • Windows: open C:\Users\YourName\.ssh\id_ed25519.pub in Notepad
2. Copy the entire contents — a single line beginning with ssh-ed25519 or ssh-rsa
3. Paste it into the SSH-Keys textarea on the router
4. To add keys for multiple engineers, paste each public key on a separate line
5. Click Save

Step 3 — Test the connection

Test key authentication before disabling password authentication. If the key does not work and password auth is already disabled, you will be locked out of SSH.

Linux, macOS, and Windows (OpenSSH):

ssh root@192.168.8.1

If the key pair is not in the default location, specify it explicitly:

ssh -i ~/.ssh/id_ed25519 root@192.168.8.1

You should be prompted for the key passphrase (if set), then logged in without a password prompt.

PuTTY:

1. Open PuTTY and enter the router IP (192.168.8.1)
2. Go to Connection > SSH > Auth > Credentials
3. Browse to the .ppk private key file
4. Open the connection — you should log in without a password prompt

Step 4 — Disable password authentication

Once key authentication is confirmed working, disable password login to eliminate brute-force attack exposure entirely.

In System > Certificates > SSH, uncheck Password authentication in the Dropbear Instance panel and click Save.

Important: With password authentication disabled, the only way to recover SSH access if all keys are lost is via the router's WebUI at System > Custom Commands or by performing a factory reset. Store private key backups securely before disabling password auth.

Securing SSH access over WAN

SSH key authentication hardens authentication, but it does not restrict which networks can reach port 22. If the router has a public IP, SSH is reachable from the internet. The following approaches apply in increasing order of security.

Option 1 — Access via VPN (recommended)

The most secure approach is to never expose SSH on the public WAN at all. Connect to the router's network via a VPN tunnel (IPsec, OpenVPN, or ZeroTier) and SSH to the router's LAN IP (192.168.8.1) over the tunnel. Port 22 is unreachable from the internet.

Option 2 — Restrict port 22 to specific source IPs

If direct SSH over a public IP is unavoidable, create a traffic rule that restricts inbound connections on port 22 to known engineer IP addresses. This limits exposure to a defined list of sources even if those addresses are on the public internet.

Navigate to Network > Firewall > Traffic Rules and create the following rule:

The router's default firewall already drops all other unmatched WAN input traffic, so no separate block rule is needed. Repeat for each permitted source IP if multiple engineers require access from different locations.

Note: Source IP restriction only works reliably with fixed public IPs. Standard mobile broadband connections use dynamic IPs that change frequently. If engineers connect from dynamic IPs, a VPN is the only practical solution.

Key storage and management