Posted: Mon Dec 07, 2020 9:03 Post subject: In case of SSH public key authentication failure...
In case of SSH public key authentication failure when it was previously working fine, it may be time to upgrade to a more recent version of dd-wrt that has an updated dropbear/SSH version.
I found this out after encountering this failure, with SSH debug message "send_pubkey_test: no mutual signature algorithm", after upgrading to Fedora 33 which changed the crypto policy.
The ideal one is to update the server (dd-wrt), and it's what prompted me to finally let go of the venerable Kong r42070. The BS r44863 build works, with its dropbear version 2020.80.
One detail I haven't yet figured out: my ssh-rsa key works, but if I remove it and leave just my ssh-ed25519 key, it fails. Curious, because support for ed25519 authorized_keys is apparently present since dropbear 2020.79. https://github.com/mkj/dropbear/releases
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Mon Dec 07, 2020 16:43 Post subject:
ed25519 is not available yet...or it least im not aware witch router has it...there was a discussion how to make it work on Netgear R9000... but im unaware if it's supported yet... SSh key i use is 3072Bit and it should be fine, i haven't tried 4096Bit yet, but it may be supported too...
not bad idea to start with, your router model as guessing it is equal of guessing the lotto...
that old Kong build is very old, a lot of security updates since...not bad idea to update to a recent build...
as we don't know your router, it will not be possible to advise, witch build to update too...but lets say 44715 will do... as builds after it there is a lot of WIP... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
@egc Thanks for clearing that up -- support does not mean the feature is included by default. Now it makes sense.
@Alozaros My router is (yet another) r7000. I didn't mention it because I don't see what it has to do with SSH support in dd-wrt. In any case, r44863 seems good so far with one day uptime.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Tue Dec 08, 2020 14:50 Post subject:
fizikz wrote:
@Alozaros My router is (yet another) r7000. I didn't mention it because I don't see what it has to do with SSH support in dd-wrt. In any case, r44863 seems good so far with one day uptime.
yep R7000 is a Broadcom and all resent BS work regarding WiFi was affecting Atheros so 44863 it should be fine...even new 44944 should be fine too as
"ath to wlan" switch names is not applied to broadcoms yet... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
"ath to wlan" switch names is not applied to broadcoms yet...
You mean there are "goodies" coming down the pipe? Thanks for the warning, I'll stay put on this release until the dust settles and there's a good reason to switch.
so 44863 it should be fine...even new 44944 should be fine too as
Thanks for the warning, I'll stay put on this release until the dust settles and there's a good reason to switch.