How I got Asuswrt device tracker working with SSH key files

The AsusWRT device tracker was working for me, but only using SSH with password or Telnet (Telnet is no longer supported in recent router firmware). This is how I got it working using a SSH public/private key pair:

  1. Download & open PuttyGen.

  2. Generate a public/private key pair. Click menu Conversions > Export OpenSSH key. Save the (private) key file to the hassio /config/ssh folder (you’ll need to create the ssh subfolder yourself). Make sure it has no file extension. E.g. ssh_asus_private_key.

  3. In your Asus router control panel, navigate to Administration > System. Set these options:
    asus_ssh_settings

  4. From PuttyGen, copy the generated Public Key and paste it in the field for SSH Authentication Key in Asus control panel. It should start with ‘ssh-rsa’ on the first line. Apply & reboot the router.

  5. Edit your configuration.yaml as described in the docs, e.g. like this:

device_tracker:
  - platform: asuswrt
    host: <yourAsusRouterIPaddress>
    username: <yourAsusRouterUsername>
    ssh_key: /config/ssh/ssh_asus_private_key
  1. Using Putty, open an SSH connection to your Hassio. Execute this command:
    chmod 600 /config/ssh/ssh_asus_private_key

These steps are working with Hassio v0.65.5 and Asuswrt-Merlin 380.69.
Edit: just upgraded to Asuswrt-Merlin 384.4 and can confirm the asuswrt tracker is still functioning using SSH. Using both password & key pair.

9 Likes

May I ask why ssh_key is needed for device_tracker asuswrt? Because of 65.5?
I did not have the ssh_key for my device_tracker config but seems to work fine on HA 65.4 with same merlin version.

1 Like

It is inherently insecure without ssh key.

However, assuming there’s no attacker in your home network and if using ssh on the LAN only (also without GUI access from WAN) you’re fine without ssh key.

Good know.
I have ssh key enabled for other purpose on my asuswrt, might as well lock it down also.
Thanks

When you are no longer using SSH password, you can of course disable ‘Allow SSH password login’ in your Asus router. For one less attack vector :slight_smile:

1 Like

Just to confirm: the CHMOD (step 6) is necessary in order to get it working.

Thanks!

1 Like

Thanks for your feedback. I’ll change it in the first post.

Hopefully i’ll help other, in case one might not know. This kept me puzzling for a while, before i figured it out…
In case you generate the private key with putty-gen, export the key to openssh format. and make sure to do step 6 as described.

1 Like

So you mean follow the steps by the letter and you will succeed :smile:

:blush: yes. Somehow, i overlooked it and i got stuck for a while.

You, sir, are a gentleman and a scholar!!

Great thread, it has been my experience that most ssh keys used are not protected with a passphrase 8-(

I was wondering if the ssh key(s) being used are proctected with a passphrase ?

I would really like to employs keys however a key deployed with an open passphrase simply creates an additional attack vector should they key be stolen.

I did not know that, so thanks for the info. I don’t think I used a pass phrase but I think you can easily enter a pass phrase in PuttyGen before exporting the OpenSSH key. Would that be sufficient?

Should you lock your key with a passphrase, then you will almost certainly want to leverage the putty agent (pageant) assuming you are using putty on a windows machine. To do this, 1. Fire up the agent on your workstation 2. Add your private key into the agent 3. Enter your passphrase when prompted.

This will allow you to access any server where the public key has been deployed without having to enter the passphrase each time you login as long as that instance of the putty agent is running on your worlkstation.

But in this case we are not using a Windows machine or a workstation. This SSH key is used for Home Assistant to connect to an Asus router. How would I use a pass phrase here? There is no mention of a pass phrase in the settings for Asuswrt in HA, nor is there any mention of a pass phrase in the Asus router settings ?

That was my original question.

If one uses a ssh key with HA it seems like it would almost have to be a key with an open passphrase unless HA has a facility to start an ssh-agent instance to load the private key. The vulnerability is should that private key be stolen or fall into the hands of a 3rd party then they could readily access any device where the public half of the key has been deployed.

Thanks for clarifying. Then a pass phrase probably isn’t an option right now. I think a key without a pass phrase does not mean an extra attack vector, as long as you use the key pair just for connecting Home Assistant and Asus. There seems to be room for improvement though.

Thanks for the tutorial.
Unfortunately I can’t seem to get it to work.
I created the private file and saved it at /home/homeassistant/.homeassistant/ssh/ssh_asus_private_key
I copied the public key to my router, saved and restarted.
And added my device_tracker entry to the configuration.yaml:
device_tracker:

  • platform: asuswrt
    host: 192.168.2.2
    username: haendler
    ssh_key: /home/homeassistant/.homeassistant/ssh/ssh_asus_private_key

and then executed the command: chmod 600 /home/homeassistant/.homeassistant/ssh/ssh_asus_private_key

Now when I start Home Assistant I get an error in the log:
Unexpected SSH error: password refused
10:55 AM components/device_tracker/asuswrt.py (ERROR)

I tried around with permissions for the file and moving the ssh folder to different directories but with no success.

With nmap i confirmed from my hassbian that ssh on my router is open on port 22.

Does anyone have an idea what I’m missing?

Strange. I googled a bit. Perhaps you can set the folder permissions to 700, is suggested a few times (containing the ssh key file).

Just to check: did you export the key as OpenSSH, not just save it from PuttyGen?

I think on my latest try I didn’t, I just saved it.
Just now tried it again with the export and now there’s only 1 error left:
Invalid config for [device_tracker.asuswrt]: file not readable for dictionary value @ data[‘ssh_key’]. Got ‘/home/homeassistant/.homeassistant/ssh/ssh_asus_private_key’

In another thread it was suggested to put the file into the /config/ folder so docker can see it. But I don’t seem to have/find the config folder where should that be?