Enabling SSH on Engenius EAP600

engenius-eap600-enable-ssh.md

Enabling SSH on Engenius EAP600 (and maybe other models)

This tutorial will walk you through the steps needed to get root SSH access on an Engenius EAP600 dual-band WiFi access point. SSH doesn't come enabled out of the box on these things, so if you want to SSH into the device (which is running an old version of OpenWRT), keep reading.

NOTE: These instructions (or portions thereof) have been reported to work on other Engenius models, such as the EAP1200H, EAP1750H, ENS200, ENS202EXT, as well as some Senao wireless gear. This doesn't suprise me, but nonetheless I don't personally have the hardware to confirm.

This document assumes the following:

• You are familiar with SSH publickey authentication (authorized_keys, etc.)
• You are familiar with the unix command line.
• You have the admin credentials for the EAP600 in question.
• You have firmware version 1.6.37 installed on the EAP600. This procedure may work on earlier or later versions, but you may run into trouble.

1. Enable CLI

First, log into the web interface on the EAP600. Then click on the "CLI Settings" link from the "Management" section of the left-hand navigation bar. Click on the radio button for "On" and then press the "Save/Apply" button. If it is already "On", skip this step.

2. Log in via telnet

Telnet into the device and login with your web credentials. After you do this successfully, you will see a menu and a eap600> prompt:

*** Hi admin, welcome to use cli(V-1.8.10) ***
---========= Commands Help =========---
      stat -- Status
       sys -- System
    wless2 -- 2.4G-Wireless
    wless5 -- 5G-Wireless
      mgmt -- Management
      tree -- Tree
      help -- Help
    reboot -- Reboot
    logout -- Logout
eap600>

3. Type in the magic command

Instead of typing in any of the commands from the menu, type in the magic command 1d68d24ea0d9bb6e19949676058f1b93 and press enter. You should then be at a root shell:

eap600>1d68d24ea0d9bb6e19949676058f1b93


BusyBox v1.19.4 (2015-10-01 07:56:17 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (bleeding edge, r20146) ------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@EAP600:/# 

4. Generate root keys

Before we can enable dropbear (the SSH server that is included in the EAP600 firmware), we need to generate our host keys. You can do that by copying and pasting the following lines into the root shell and pressing enter:

[ -s /etc/dropbear/dropbear_rsa_host_key ] || \
    { rm -f /etc/dropbear/dropbear_rsa_host_key ; \
    dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key ; } ; \
[ -s /etc/dropbear/dropbear_dss_host_key ] || \
    { rm -f /etc/dropbear/dropbear_dss_host_key ; \
    dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key ; }

5. Copy over your ssh authorized_keys

Dropbear expects the authorized_keys file to be in /etc/dropbear/authorized_keys. You can either edit this file with vi or you can do the following steps:

1. Type in the command cat > /etc/dropbear/authorized_keys <<EOF
2. Copy the contents of your id_rsa.pub or authorized_keys file to your clipboard.
3. Paste the contents of your clipboard into the terminal.
4. Press enter, type EOF, and press enter again. At this point you should be back at the root shell prompt.

Then you should make sure that the permissions are set properly on everything in /etc/dropbear with the following command line:

chmod 600 /etc/dropbear/* ; chmod 700 /etc/dropbear

6. Enable dropbear

Enabling the dropbear service, so that it will start automatically after every boot, is as easy as typing in the following command:

/etc/init.d/dropbear enable
/etc/init.d/dropbear start

7. Reboot

At this point we should reboot so that we can verify that everything is working as expected. This can take a minute or two. Just start pinging the device until it starts responding, then wait another minute or two for dropbear to get started. To reboot, just type reboot into the command line and press enter.

8. Log in with ssh

After waiting a while, you should be able to ssh into your EAP-600 as root:

ssh root@<WAP-IP-ADDRESS>

You should now be greeted with a root prompt. w00t!

9. Security hardening

Now that you've got SSH up and running, lets take a few moments to make sure that we lock down the security of the device.

Disable dropbear password authentication

It turns out that the EAP-600 runs a really old version of OpenWRT. Because of that, we can use the uci command to turn off password authentication for dropbear:

uci set dropbear.@dropbear[0].PasswordAuth=off
uci commit
/etc/init.d/dropbear restart

After doing this, it is a good idea to verify that it is indeed working as expected. We can do this pretty easily by trying to log into the device using the admin account---which by default has the password 1234.

To check that password authentication is indeed disabled, you simply log out of the root shell and then try to logging back into the device as the user admin:

ssh -o "PubkeyAuthentication no" admin@<WAP-IP-ADDRESS>

You shouldn't even get a password prompt, it should just say Permission denied (publickey).. If you do get a password prompt, type in 1234 and press enter. If it successfully logs you in as the user admin, then something has gone horribly wrong.

Disable IPv6 (!?!)

The SSID-VLAN isolation feature of the EAP-600 has a really bad bug: it doesn't turn off IPv6 (or even SLAAC!) on the individual bridge interfaces. This makes it impossible to prevent users from gaining access to the management web interface using the IPv6 link-local address of the access point.

The easiest, safest, and least fragile way to fix this quickly is simply to disable IPv6 entirely. This kinda sucks, but in practice it is not really that big of a deal---IPv6 still works for hosts, you just have to use IPv4 to access the configuration page or to SSH into the access point if you need to reconfigure it.

To disable IPv6, we once again use the uci command, followed by a reboot:

uci set system.system.ipv6=0
uci commit
reboot

Wait for the AP to come back online and then proceed below to disabling telnet.

Disable telnet

Now that we've got our dropbear daemon set up and tested, we can turn off telnet since we won't be needing it anymore.

/etc/init.d/telnet stop
/etc/init.d/telnet disable

Disable dnsmasq

For some reason, the software on the EAP-600 always runs dnsmasq. This is entirely inappropriate for a wireless access point, which should be just a bridge. You can easily disable it by typing in the following commands:

/etc/init.d/dnsmasq stop
/etc/init.d/dnsmasq disable

z_EAP600-1200x792-74-1414194680.png

Alas, no success on EAP1750H

EAP1750H is currently supported in openwrt master (snapshot images) and will be available in the next stable release

if you really really want to access the shell you can do so with UART. there may be a resistor shorting RX to ground. (see commit message for adding that model)

Sorry, didn't read the one up there:

On an EnStation5AC, firmware v3.0.2_c1.8.53, the magic command drops into an unidentified prompt (the prompt is simply >). No commands are recognized other than exit and quit, which both terminate the telnet session.
Lots of good stuff, but to achieve a root shell, type login at the unidentified prompt.

This one also works for EAP1750H.

Very disappointing: No new recipes. Boring chaps over there.