Enabling SSH on Engenius EAP600
===============================

This tutorial will walk you through the steps needed to get `root` SSH
access on an [Engenius EAP600](http://www.engeniustech.com/products/indoor-access-points-client-bridges/ceiling-wall-mount/eap600-new.html)
dual-band WiFi access point. SSH doesn't come enabled out of the box on
these things, so if you want to SSH into the device (which is running an
old version of OpenWRT), keep reading.

This document assumes the following:

 *  You are familiar with SSH `publickey` authentication
    (`authorized_keys`, etc.)
 *  You are familiar with the unix command line.
 *  You have the admin credentials for the EAP600 in question.
 *  You have firmware version 1.6.37 installed on the EAP600. This
    procedure may work on earlier or later versions, but you may run
    into trouble.

### 1. Enable CLI ###

First, log into the web interface on the EAP600. Then click on the
"CLI Settings" link from the "Management" section of the left-hand
navigation bar. Click on the radio button for "On" and then press the
"Save/Apply" button. If it is already "On", skip this step.

### 2. Log in via telnet ###

Telnet into the device and login with your web credentials. After you
do this successfully, you will see a menu and a `eap600>` prompt.

### 3. Type in the magic command ###

Instead of typing in any of the commands from the menu, type in the
magic command `1d68d24ea0d9bb6e19949676058f1b93` and press enter. You
should then be at a root shell!

### 4. Generate root keys ###

Before we can enable dropbear (the SSH server that is included in
the EAP600 firmware), we need to generate our host keys. You can
do that by copying and pasting the following lines into the root
shell and pressing enter:

    [ -s /etc/dropbear/dropbear_rsa_host_key ] || \
        { rm -f /etc/dropbear/dropbear_rsa_host_key ; \
        dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key } ; \
    [ -s /etc/dropbear/dropbear_dss_host_key ] || \
        { rm -f /etc/dropbear/dropbear_dss_host_key ; \
        dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key }

### 5. Copy over your ssh `authorized_keys` ###

Dropbear expects the `authorized_keys` file to be in
`/etc/dropbear/authorized_keys`. You can either edit this file with
`vi` or you can do the following steps:

1.  Copy the contents of your `id_rsa.pub` or `authorized_keys` file
    to your clipboard.
2.  Type in the command `cat > /etc/dropbear/authorized_keys <<EOF`
3.  Paste the contents of your clipboard into the terminal.
4.  Press enter, type `EOF`, and press enter again. At this point you
    should be back at the root shell prompt.

Then you should make sure that the permissions are set properly on
everything in `/etc/dropbear` with the following command line:

    chmod 600 /etc/dropbear/* ; chmod 700 /etc/dropbear

### 6. Enable dropbear ###

Enabling the dropbear service, so that it will start automatically
after every boot, is as easy as typing in the following command:

    /etc/init.d/dropbear enable

### 7. Reboot ###

At this point we should reboot so that we can verify that everything
is working as expected. This can take a minute or two. Just start
pinging the device until it starts responding, then wait another
minute or two for dropbear to get started.

### 8. Log in with ssh ###

After waiting a while, you should be able to ssh into your EAP-600 as
`root`:

    ssh root@<WAP-IP-ADDRESS>

You should now be greeted with a root prompt. w00t!

### 8. Security hardening ###

Now that you've got SSH up and running, lets take a few moments to
make sure that we lock down the security of the device.

#### Disable dropbear password authentication ####

It turns out that the EAP-600 runs a really old version of OpenWRT.
Because of that, we can use the `uci` command to turn off password
authentication for dropbear:

    uci set dropbear.@dropbear[0].PasswordAuth=off
    uci commit

After doing this, it is a good idea to verify that it is indeed
working as expected. We can do this pretty easily by trying to log
into the device using the `admin` account---which by default has the
password `1234`.

To check that password authentication is indeed disabled, you simply
log out of the root shell and then try to logging back into the device
as the user `admin`:

    ssh admin@<WAP-IP-ADDRESS>

For the password, type in `1234` and press enter. If it successfully
logs you in as the user `admin`, then something has gone horribly
wrong.

#### Disable IPv6 (!?!) ####

The SSID-VLAN isolation feature of the EAP-600 has a really bad bug:
it doesn't turn off IPv6 (or even
[SLAAC](https://tools.ietf.org/html/rfc4862)!) on the individual
bridge interfaces. This makes it impossible to prevent users from
gaining access to the management web interface using the IPv6
link-local address of the access point.

The easiest, safest, and least fragile way to fix this quickly is
simply to disable IPv6 entirely. This kinda sucks, but in practice it
is not really that big of a deal---IPv6 still works for hosts, you
just have to use IPv4 to access the configuration page or to SSH into
the access point if you need to reconfigure it.

To disable IPv6, we once again use the `uci` command, followed by a
reboot:

    uci set system.system.ipv6=0
    uci commit
    reboot

Wait for the AP to come back online and then proceed below to
disabling telnet.

#### Disable `telnet` ####

Now that we've got our `dropbear` daemon set up and tested, we can
turn off `telnet` since we won't be needing it anymore.

    /etc/init.d/telnet stop
    /etc/init.d/telnet disable

#### Disable `dnsmasq` ####

For some reason, the software on the EAP-600 always runs `dnsmasq`.
This is entirely inappropriate for a wireless access point, which
should be just a bridge. You can easily disable it by typing in the
following commands:

    /etc/init.d/dnsmasq stop
    /etc/init.d/dnsmasq disable