[the-joker]

bummer partial revert then... though its dumb, either or is the normal way.

[egc]

Yes please

[the-joker]

I will but this is dumb behavior.

[egc]

Not at all, you can use keys so that you do not have to put in a password and for clients which do not have the key you can use the password.

It is not mutually exclusive

[the-joker]

If selecting signing with key exclusively allows password login its dumb, there should be no fallback because if there is there are no security advantages.
But I get it, retarded it is.

[egc]

If you do not want a fallback you disable password, but if you want a fallback you leave it enabled but still can use the keys for easy access (meaning you do not have to type your password)

[the-joker]

either at same time its just stupid and shouldn't be allowed.

But what do I care. Nice little opportunity to get in between the huge crack.

https://github.com/mirror/dd-wrt/pull/415 for idiotic security, whoever implemented this should be shot in the balls and quartered.

[mrjcd]

couple more cents--- I have never used PW to SSH...

...back many moons ago I also use a XXXX port but that is kinda too much...
...I would sometimes forget to hide it anyways when doing terminal output to html

[egc]

Password is enabled by default, then I want to paste my key, no box to so see.

After I disable Password I can paste my keys.

But the key is wrong, and I already disabled telnet.

Now I have myself locked out.

This is STUPID, please REVERT

[the-joker]

I have reverted this to what it was, except bushants request awaiting merger, but note, I am 100% against this reasoning, people who make mistakes can reset to default, we SHOULD NOT exchange convenience for security. Which incidentally this is what this is.

[egc]

Keys are generated added to the router and OpenSSH key downloaded to your client (for putty you have to convert the OpenSSH key to Putty ppk format), but still a lot of work to do, key generation takes between 1 and 10 minutes depending on key length and CPU so have to add something of a wait state and the screen does not refresh yet after the keys are generated.

As I am traveling home the coming week it can take some time before it is completed

[the-joker]

egc if I can suggest something, the key generation fieldset would be better placed inside the SSH fieldset before perhaps the authorized keys textarea because there are no sections here delimited by h2 headers this way its absolutely obvious and delimited areas that are related are together.

And perhaps be optional visible/hidden like - Enable key generation [ ]enabled [] disabled.

So below port you would have

open fieldset - legend - Secure Shell (SSH)

ssh options foo

foo

foobar

port [ ]

Key generation [] Enabled [] Disabled

open fieldset - legend key generation

foo

foobar

foobar foo

[ button ]

Authorized keys textarea

close key gen fieldset
close ssh fieldset

Other considerations;

Instead of limiting to two key sizes, have a input text area and default to 2048 with a max of 4096 so users input what they wish in valid increments. Perhaps no default and a input placeholder like the NTP one - that says key size 2048 or foo or foobar.

Assigning this feature to higher end routers, lower end devices the higher generation time of 10 minutes could end up being much longer. Nothing should take excessive time **.

** Measurement of the start/end process in some percentage like the freeradius certificate generation does, so, on long operations, users dont know if the thing is going or the router has hung users should not have to wonder about this process length.

Users maybe already over taxing their routers with other stuff which will take CPU cycles. Which will likely introduce more delays/overhead.

While I am unsure how it will end up on the User experience/accessibility side of things, I think its a good feature candidate with proper care of implementation.

And try to enjoy your time away traveling.

[egc]

Thanks for your suggestions

[dale_gribble39]

Default key size is 2048. This does matter, depending on device.

[egc]

2048 is deemed unsafe nowadays, minimum of 3072 is recommended, that does not mean there can/should not be a choice this is just for testing