darconeous · March 24, 2023 20:02 · Sep 26, 2017 · Sep 26, 2017 · Dec 1, 2016 · Dec 1, 2016
diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -12,9 +12,9 @@ device (which is running an old version of OpenWRT), keep reading.
 
 **NOTE:** These instructions (or portions thereof) have been reported
 to work on other Engenius models, such as the
-[EAP1200H][#gistcomment-2125302], [EAP1750H][#gistcomment-2091534],
-[ENS200][#gistcomment-2063334], [ENS202EXT][#gistcomment-2063334], as
-well as some [Senao wireless gear][#gistcomment-2091534]. This doesn't
+[EAP1200H](#gistcomment-2125302), [EAP1750H](#gistcomment-2091534),
+[ENS200](#gistcomment-2063334), [ENS202EXT](#gistcomment-2063334), as
+well as some [Senao wireless gear](#gistcomment-2091534). This doesn't
 suprise me, but nonetheless I don't personally have the hardware to
 confirm.
 

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -1,5 +1,7 @@
-Enabling SSH on Engenius EAP600
-===============================
+Enabling SSH on Engenius EAP600 (and maybe other models)
+========================================================
+
+[1]: http://www.engeniustech.com/products/indoor-access-points-client-bridges/ceiling-wall-mount/eap600-new.html
 
 This tutorial will walk you through the steps needed to get `root` SSH
 access on an [Engenius EAP600][1] dual-band WiFi access point. SSH doesn't
@@ -8,6 +10,14 @@ device (which is running an old version of OpenWRT), keep reading.
 
 ![Picture of EAP600](https://gist.github.com/darconeous/b24cdaa853a8f35162f2f8e3a3050149/raw/z_EAP600-1200x792-74-1414194680.png)
 
+**NOTE:** These instructions (or portions thereof) have been reported
+to work on other Engenius models, such as the
+[EAP1200H][#gistcomment-2125302], [EAP1750H][#gistcomment-2091534],
+[ENS200][#gistcomment-2063334], [ENS202EXT][#gistcomment-2063334], as
+well as some [Senao wireless gear][#gistcomment-2091534]. This doesn't
+suprise me, but nonetheless I don't personally have the hardware to
+confirm.
+
 This document assumes the following:
 
  *  You are familiar with SSH `publickey` authentication
@@ -18,8 +28,6 @@ This document assumes the following:
     procedure may work on earlier or later versions, but you may run
     into trouble.
 
-[1]: http://www.engeniustech.com/products/indoor-access-points-client-bridges/ceiling-wall-mount/eap600-new.html
-
 ### 1. Enable CLI ###
 
 First, log into the web interface on the EAP600. Then click on the

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -6,7 +6,7 @@ access on an [Engenius EAP600][1] dual-band WiFi access point. SSH doesn't
 come enabled out of the box on these things, so if you want to SSH into the
 device (which is running an old version of OpenWRT), keep reading.
 
-![Picture of EAP600](http://www.engeniustech.com/media/reviews/photos/thumbnail/400x300s/af/ae/5b/EAP600-1200x792-74-1414194680.png)
+![Picture of EAP600](https://gist.githubusercontent.com/darconeous/b24cdaa853a8f35162f2f8e3a3050149/raw/z_EAP600-1200x792-74-1414194680.png)
 
 This document assumes the following:
 

diff --git a/z_EAP600-1200x792-74-1414194680.png b/z_EAP600-1200x792-74-1414194680.png
diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -6,7 +6,7 @@ access on an [Engenius EAP600][1] dual-band WiFi access point. SSH doesn't
 come enabled out of the box on these things, so if you want to SSH into the
 device (which is running an old version of OpenWRT), keep reading.
 
-![Picture of EAP600][http://www.engeniustech.com/media/reviews/photos/thumbnail/400x300s/af/ae/5b/EAP600-1200x792-74-1414194680.png]
+![Picture of EAP600](http://www.engeniustech.com/media/reviews/photos/thumbnail/400x300s/af/ae/5b/EAP600-1200x792-74-1414194680.png)
 
 This document assumes the following:
 

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -6,7 +6,7 @@ access on an [Engenius EAP600][1] dual-band WiFi access point. SSH doesn't
 come enabled out of the box on these things, so if you want to SSH into the
 device (which is running an old version of OpenWRT), keep reading.
 
-![Picture of EAP600][2]
+![Picture of EAP600][http://www.engeniustech.com/media/reviews/photos/thumbnail/400x300s/af/ae/5b/EAP600-1200x792-74-1414194680.png]
 
 This document assumes the following:
 
@@ -19,7 +19,6 @@ This document assumes the following:
     into trouble.
 
 [1]: http://www.engeniustech.com/products/indoor-access-points-client-bridges/ceiling-wall-mount/eap600-new.html
-[2]: http://www.engeniustech.com/media/reviews/photos/thumbnail/400x300s/af/ae/5b/EAP600-1200x792-74-1414194680.png
 
 ### 1. Enable CLI ###
 

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -2,12 +2,11 @@ Enabling SSH on Engenius EAP600
 ===============================
 
 This tutorial will walk you through the steps needed to get `root` SSH
-access on an [Engenius EAP600](http://www.engeniustech.com/products/indoor-access-points-client-bridges/ceiling-wall-mount/eap600-new.html)
-dual-band WiFi access point. SSH doesn't come enabled out of the box on
-these things, so if you want to SSH into the device (which is running an
-old version of OpenWRT), keep reading.
+access on an [Engenius EAP600][1] dual-band WiFi access point. SSH doesn't
+come enabled out of the box on these things, so if you want to SSH into the
+device (which is running an old version of OpenWRT), keep reading.
 
-![Picture of EAP600](http://www.engeniustech.com/media/reviews/photos/thumbnail/400x300s/af/ae/5b/EAP600-1200x792-74-1414194680.png)
+![Picture of EAP600][2]
 
 This document assumes the following:
 
@@ -19,6 +18,9 @@ This document assumes the following:
     procedure may work on earlier or later versions, but you may run
     into trouble.
 
+[1]: http://www.engeniustech.com/products/indoor-access-points-client-bridges/ceiling-wall-mount/eap600-new.html
+[2]: http://www.engeniustech.com/media/reviews/photos/thumbnail/400x300s/af/ae/5b/EAP600-1200x792-74-1414194680.png
+
 ### 1. Enable CLI ###
 
 First, log into the web interface on the EAP600. Then click on the
@@ -160,12 +162,11 @@ wrong.
 
 #### Disable IPv6 (!?!) ####
 
-The SSID-VLAN isolation feature of the EAP-600 has a really bad bug:
-it doesn't turn off IPv6 (or even
-[SLAAC](https://tools.ietf.org/html/rfc4862)!) on the individual
-bridge interfaces. This makes it impossible to prevent users from
-gaining access to the management web interface using the IPv6
-link-local address of the access point.
+The SSID-VLAN isolation feature of the EAP-600 has a really bad bug: it
+doesn't turn off IPv6 (or even [SLAAC][3]!) on the individual bridge
+interfaces. This makes it impossible to prevent users from gaining access
+to the management web interface using the IPv6 link-local address of the
+access point.
 
 The easiest, safest, and least fragile way to fix this quickly is
 simply to disable IPv6 entirely. This kinda sucks, but in practice it
@@ -183,6 +184,8 @@ reboot:
 Wait for the AP to come back online and then proceed below to
 disabling telnet.
 
+[3]: https://tools.ietf.org/html/rfc4862
+
 #### Disable `telnet` ####
 
 Now that we've got our `dropbear` daemon set up and tested, we can

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -127,7 +127,7 @@ After waiting a while, you should be able to ssh into your EAP-600 as
 
 You should now be greeted with a root prompt. w00t!
 
-### 8. Security hardening ###
+### 9. Security hardening ###
 
 Now that you've got SSH up and running, lets take a few moments to
 make sure that we lock down the security of the device.

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -108,6 +108,7 @@ Enabling the dropbear service, so that it will start automatically
 after every boot, is as easy as typing in the following command:
 
     /etc/init.d/dropbear enable
+    /etc/init.d/dropbear start
 
 ### 7. Reboot ###
 

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -90,9 +90,9 @@ Dropbear expects the `authorized_keys` file to be in
 `/etc/dropbear/authorized_keys`. You can either edit this file with
 `vi` or you can do the following steps:
 
-1.  Copy the contents of your `id_rsa.pub` or `authorized_keys` file
+1.  Type in the command `cat > /etc/dropbear/authorized_keys <<EOF`
+2.  Copy the contents of your `id_rsa.pub` or `authorized_keys` file
     to your clipboard.
-2.  Type in the command `cat > /etc/dropbear/authorized_keys <<EOF`
 3.  Paste the contents of your clipboard into the terminal.
 4.  Press enter, type `EOF`, and press enter again. At this point you
     should be back at the root shell prompt.

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -29,13 +29,46 @@ navigation bar. Click on the radio button for "On" and then press the
 ### 2. Log in via telnet ###
 
 Telnet into the device and login with your web credentials. After you
-do this successfully, you will see a menu and a `eap600>` prompt.
+do this successfully, you will see a menu and a `eap600>` prompt:
+
+	*** Hi admin, welcome to use cli(V-1.8.10) ***
+	---========= Commands Help =========---
+	      stat -- Status
+	       sys -- System
+	    wless2 -- 2.4G-Wireless
+	    wless5 -- 5G-Wireless
+	      mgmt -- Management
+	      tree -- Tree
+	      help -- Help
+	    reboot -- Reboot
+	    logout -- Logout
+	eap600>
 
 ### 3. Type in the magic command ###
 
 Instead of typing in any of the commands from the menu, type in the
 magic command `1d68d24ea0d9bb6e19949676058f1b93` and press enter. You
-should then be at a root shell!
+should then be at a root shell:
+
+	eap600>1d68d24ea0d9bb6e19949676058f1b93
+
+
+	BusyBox v1.19.4 (2015-10-01 07:56:17 CST) built-in shell (ash)
+	Enter 'help' for a list of built-in commands.
+
+	  _______                     ________        __
+	 |       |.-----.-----.-----.|  |  |  |.----.|  |_
+	 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
+	 |_______||   __|_____|__|__||________||__|  |____|
+	          |__| W I R E L E S S   F R E E D O M
+	 KAMIKAZE (bleeding edge, r20146) ------------------
+	  * 10 oz Vodka       Shake well with ice and strain
+	  * 10 oz Triple sec  mixture into 10 shot glasses.
+	  * 10 oz lime juice  Salute!
+	 ---------------------------------------------------
+	root@EAP600:/# 
+
+
 
 ### 4. Generate root keys ###
 

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -81,7 +81,8 @@ after every boot, is as easy as typing in the following command:
 At this point we should reboot so that we can verify that everything
 is working as expected. This can take a minute or two. Just start
 pinging the device until it starts responding, then wait another
-minute or two for dropbear to get started.
+minute or two for dropbear to get started. To reboot, just type
+`reboot` into the command line and press enter.
 
 ### 8. Log in with ssh ###
 

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -46,10 +46,10 @@ shell and pressing enter:
 
     [ -s /etc/dropbear/dropbear_rsa_host_key ] || \
         { rm -f /etc/dropbear/dropbear_rsa_host_key ; \
-        dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key } ; \
+        dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key ; } ; \
     [ -s /etc/dropbear/dropbear_dss_host_key ] || \
         { rm -f /etc/dropbear/dropbear_dss_host_key ; \
-        dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key }
+        dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key ; }
 
 ### 5. Copy over your ssh `authorized_keys` ###
 

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -105,6 +105,7 @@ authentication for dropbear:
 
     uci set dropbear.@dropbear[0].PasswordAuth=off
     uci commit
+    /etc/init.d/dropbear restart
 
 After doing this, it is a good idea to verify that it is indeed
 working as expected. We can do this pretty easily by trying to log
@@ -115,9 +116,10 @@ To check that password authentication is indeed disabled, you simply
 log out of the root shell and then try to logging back into the device
 as the user `admin`:
 
-    ssh admin@<WAP-IP-ADDRESS>
+    ssh -o "PubkeyAuthentication no" admin@<WAP-IP-ADDRESS>
 
-For the password, type in `1234` and press enter. If it successfully
+You shouldn't even get a password prompt, it should just say `Permission denied (publickey).`.
+If you do get a password prompt, type in `1234` and press enter. If it successfully
 logs you in as the user `admin`, then something has gone horribly
 wrong.
 

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -7,6 +7,8 @@ dual-band WiFi access point. SSH doesn't come enabled out of the box on
 these things, so if you want to SSH into the device (which is running an
 old version of OpenWRT), keep reading.
 
+![Picture of EAP600](http://www.engeniustech.com/media/reviews/photos/thumbnail/400x300s/af/ae/5b/EAP600-1200x792-74-1414194680.png)
+
 This document assumes the following:
 
  *  You are familiar with SSH `publickey` authentication

diff --git a/engenius-eap600-enable-ssh.md b/engenius-eap600-enable-ssh.md
@@ -0,0 +1,163 @@
+Enabling SSH on Engenius EAP600
+===============================
+
+This tutorial will walk you through the steps needed to get `root` SSH
+access on an [Engenius EAP600](http://www.engeniustech.com/products/indoor-access-points-client-bridges/ceiling-wall-mount/eap600-new.html)
+dual-band WiFi access point. SSH doesn't come enabled out of the box on
+these things, so if you want to SSH into the device (which is running an
+old version of OpenWRT), keep reading.
+
+This document assumes the following:
+
+ *  You are familiar with SSH `publickey` authentication
+    (`authorized_keys`, etc.)
+ *  You are familiar with the unix command line.
+ *  You have the admin credentials for the EAP600 in question.
+ *  You have firmware version 1.6.37 installed on the EAP600. This
+    procedure may work on earlier or later versions, but you may run
+    into trouble.
+
+### 1. Enable CLI ###
+
+First, log into the web interface on the EAP600. Then click on the
+"CLI Settings" link from the "Management" section of the left-hand
+navigation bar. Click on the radio button for "On" and then press the
+"Save/Apply" button. If it is already "On", skip this step.
+
+### 2. Log in via telnet ###
+
+Telnet into the device and login with your web credentials. After you
+do this successfully, you will see a menu and a `eap600>` prompt.
+
+### 3. Type in the magic command ###
+
+Instead of typing in any of the commands from the menu, type in the
+magic command `1d68d24ea0d9bb6e19949676058f1b93` and press enter. You
+should then be at a root shell!
+
+### 4. Generate root keys ###
+
+Before we can enable dropbear (the SSH server that is included in
+the EAP600 firmware), we need to generate our host keys. You can
+do that by copying and pasting the following lines into the root
+shell and pressing enter:
+
+    [ -s /etc/dropbear/dropbear_rsa_host_key ] || \
+        { rm -f /etc/dropbear/dropbear_rsa_host_key ; \
+        dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key } ; \
+    [ -s /etc/dropbear/dropbear_dss_host_key ] || \
+        { rm -f /etc/dropbear/dropbear_dss_host_key ; \
+        dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key }
+
+### 5. Copy over your ssh `authorized_keys` ###
+
+Dropbear expects the `authorized_keys` file to be in
+`/etc/dropbear/authorized_keys`. You can either edit this file with
+`vi` or you can do the following steps:
+
+1.  Copy the contents of your `id_rsa.pub` or `authorized_keys` file
+    to your clipboard.
+2.  Type in the command `cat > /etc/dropbear/authorized_keys <<EOF`
+3.  Paste the contents of your clipboard into the terminal.
+4.  Press enter, type `EOF`, and press enter again. At this point you
+    should be back at the root shell prompt.
+
+Then you should make sure that the permissions are set properly on
+everything in `/etc/dropbear` with the following command line:
+
+    chmod 600 /etc/dropbear/* ; chmod 700 /etc/dropbear
+
+### 6. Enable dropbear ###
+
+Enabling the dropbear service, so that it will start automatically
+after every boot, is as easy as typing in the following command:
+
+    /etc/init.d/dropbear enable
+
+### 7. Reboot ###
+
+At this point we should reboot so that we can verify that everything
+is working as expected. This can take a minute or two. Just start
+pinging the device until it starts responding, then wait another
+minute or two for dropbear to get started.
+
+### 8. Log in with ssh ###
+
+After waiting a while, you should be able to ssh into your EAP-600 as
+`root`:
+
+    ssh root@<WAP-IP-ADDRESS>
+
+You should now be greeted with a root prompt. w00t!
+
+### 8. Security hardening ###
+
+Now that you've got SSH up and running, lets take a few moments to
+make sure that we lock down the security of the device.
+
+#### Disable dropbear password authentication ####
+
+It turns out that the EAP-600 runs a really old version of OpenWRT.
+Because of that, we can use the `uci` command to turn off password
+authentication for dropbear:
+
+    uci set dropbear.@dropbear[0].PasswordAuth=off
+    uci commit
+
+After doing this, it is a good idea to verify that it is indeed
+working as expected. We can do this pretty easily by trying to log
+into the device using the `admin` account---which by default has the
+password `1234`.
+
+To check that password authentication is indeed disabled, you simply
+log out of the root shell and then try to logging back into the device
+as the user `admin`:
+
+    ssh admin@<WAP-IP-ADDRESS>
+
+For the password, type in `1234` and press enter. If it successfully
+logs you in as the user `admin`, then something has gone horribly
+wrong.
+
+#### Disable IPv6 (!?!) ####
+
+The SSID-VLAN isolation feature of the EAP-600 has a really bad bug:
+it doesn't turn off IPv6 (or even
+[SLAAC](https://tools.ietf.org/html/rfc4862)!) on the individual
+bridge interfaces. This makes it impossible to prevent users from
+gaining access to the management web interface using the IPv6
+link-local address of the access point.
+
+The easiest, safest, and least fragile way to fix this quickly is
+simply to disable IPv6 entirely. This kinda sucks, but in practice it
+is not really that big of a deal---IPv6 still works for hosts, you
+just have to use IPv4 to access the configuration page or to SSH into
+the access point if you need to reconfigure it.
+
+To disable IPv6, we once again use the `uci` command, followed by a
+reboot:
+
+    uci set system.system.ipv6=0
+    uci commit
+    reboot
+
+Wait for the AP to come back online and then proceed below to
+disabling telnet.
+
+#### Disable `telnet` ####
+
+Now that we've got our `dropbear` daemon set up and tested, we can
+turn off `telnet` since we won't be needing it anymore.
+
+    /etc/init.d/telnet stop
+    /etc/init.d/telnet disable
+
+#### Disable `dnsmasq` ####
+
+For some reason, the software on the EAP-600 always runs `dnsmasq`.
+This is entirely inappropriate for a wireless access point, which
+should be just a bridge. You can easily disable it by typing in the
+following commands:
+
+    /etc/init.d/dnsmasq stop
+    /etc/init.d/dnsmasq disable