Sshd accessible from WAN - need docu

First of all: I need a ssh access from the WAN side on a port e.g. 1234 (only, not on 22), with login per rsa-key only. It would be nice not to sacrifice password login on port 22 from the LAN side.

But I have troubles with sshd - first off all sshd_config is missing at /etc/ssh.
I have searched the forum, and yes, I have read, that there might be one located at /tmp/etc/ssh - well, indeed it is.
I tried to copy the one from /tmp/etc/ssh to /etc/ssh, and I did add the lines ‘Port 22’ and 'Port ‘1123’ to bind openssh to both ports. I restarted by ‘/etc/init.d/sshd restart’ and tried to log-in from the LAN side - no success.

But I am less than happy about that. On the manual pages of OpenWRT I got plenty of documentation on how to do my job with dropbear. But CZ.NIC decided to use openssh rather than dropbear. That is OK for me - but (this router is no cheapo in the end) I want to have documentation at least for these aspects, where CZ.NIC did not follow the OpenWRT standard. And I feed, that some basic documentation of the firewall is also essential - given the risk a misconfigured firewall does pose. And poor documentation will result in mis-configuration, right?! The man pages aren’t on the router either - I really tried to help myself first. I am also not very happy with the fact, that /etc/init.d/sshd status does not give me an answer. So what is the recommend method to find out, what services are up, and which aren’t?

A set of properly set config-files at least for the more common services would greatly help to get the thing up and running.


  • peter

Either you sacrifice password logon on both sides, or use a second ssh daemon, imho.
The config is easily found if you know how:

root@kukuzi:~# ps w | grep sshd
 2433 root      2732 S    /usr/sbin/sshd -f /var/etc/ssh/sshd_config
10896 root      5332 S    sshd: root@pts/0
11805 root      1076 R    grep sshd

Et voilá.
rsa-key howto is already here in the forum,

Thank You!
Things are always a bit more difficult when being at the start of the learning curve.
I pondered over the night, and decided that I will disable the password login completely. Right now the box is still not exposed to the net - until I am convinced, that I got a secure setup of the firewall with open ports for ssh and OpenVPN.
Best regards

  • peter