Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Fri Nov 18, 2022 16:13 Post subject:
so how is this fixed..? cause the build is unusable, no ssh, no telnet, unbound hangs, dnsmasq in some half frozen state..
there no ed25519 anything anywhere in winscp, nothing worked was basically locked out of my own router as downgrading in web ui didnt work, look 3x longer than usual, looked like it was rebooting but it wasnt.. had to use physdiskwrite to fix all of this for x86_64. _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
For those, like me, who don't get a whole lot out of the timeline of fixes applied recently, and who are always afraid to make a mess of ssh & key base access, here is how I succeeded after being told by my R7800 that port 22 is closed.
If you know all the ins and outs of ssh, keys and the various commands used, just skip ...
I did check from the documentation what ssh-keygen -R actually does, since generating new keys is not what you might want to do ... I have a slew of SBC's etc. using key based ssh access hither and thither and time-wise can't afford messing it up.
In my case the command needs to be repeated for both LAN IP and hostname (this is on a Linux Mint laptop):
arjen@HP430G5:~$ ssh-keygen -R 192.168.1.1
# Host 192.168.1.1 found: line 146
/home/arjen/.ssh/known_hosts updated.
Original contents retained as /home/arjen/.ssh/known_hosts.old
arjen@HP430G5:~$ ssh root@r7800.mdnet
Connection closed by 192.168.1.1 port 22
arjen@HP430G5:~$ ssh-keygen -R r7800.mdnet
# Host r7800.mdnet found: line 145
/home/arjen/.ssh/known_hosts updated.
Original contents retained as /home/arjen/.ssh/known_hosts.old
arjen@HP430G5:~$ ssh root@r7800.mdnet
The authenticity of host 'r7800.mdnet (192.168.1.1)' can't be established.
ED25519 key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'r7800.mdnet,192.168.1.1' (ED25519) to the list of known hosts.
DD-WRT v3.0-r50906 std (c) 2022 NewMedia-NET GmbH
Release: 11/18/22
Board: Netgear R7800
==========================================================
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Nov 18, 2022 16:29 Post subject:
Hi Guys...well im tempted to update my R7800, but there are few questions arising:
-Im using 3072bit RSA ssh-2 key pasted on the router in putty format + custom port and i use putty to connect either from linux or win machines...will ssh work after update with no reset...?
-Will the update keep the currently configured ssh key as it is?
-I also dont have a physical, nor GUI access to the router as i use ssh over the WAN at the moment will ssh work out of the box after the update or i have to fiddle with it...?
-Shall i wait until i get back and have a physical access ?
-If i update would it be possible to fiddle with ssh nvram values before reboot and make it work after the reboot...what exactly i need to do ?
-If i enable telnet over WAN before the update will, i be able to fiddle with the SSh changes and paste the new ssh key in the nvram...after the update ?
y tatsuya46 said no telnet too ??
tatsuya46 wrote:
so how is this fixed..? cause the build is unusable, no ssh, no telnet, unbound hangs, dnsmasq in some half frozen state..
gosh so, many of those questions of mine...
Thanks in advance...
p.s. i already read about advise of ticking few things in putty, but im not using ed25519 nor i have imported keys in the reg (im not doing that practice couse of...) + read the ssh debate in Broadcom section new firmware 50906...
So i guess if the update with no reset deleted the present SSh key from the router side it will be funky...
I guess to keep up with ed25519 and putty you can generate key with puttygen and paste it in that format...router side... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Fri Nov 18, 2022 16:46; edited 1 time in total
RSA also works, other public keys like Ed25519 or ECDSA also work.
However, the HOST key, i.e. the fingerprint of the router, has changed.
You don't have to reset the router if programs don't want to connect via SSH anymore because another HOST key (fingerprint) is stored.
Here in the thread is described several times how to delete the stored fingerprint under Linux or Windows.
As a suggestion, just activate Telnet briefly.
If you get no ssh access for a short time you can still log in via telnet and check which public key is stored in the nvram.
It's not that complicated ... actually you only have to remove the old fingerprints from the "known_hosts" - then ssh access works.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Nov 18, 2022 16:54 Post subject:
ho1Aetoo wrote:
RSA also works, other public keys like Ed25519 or ECDSA also work.
However, the HOST key, i.e. the fingerprint of the router, has changed.
You don't have to reset the router if programs don't want to connect via SSH anymore because another HOST key (fingerprint) is stored.
Here in the thread is described several times how to delete the stored fingerprint under Linux or Windows.
As a suggestion, just activate Telnet briefly.
If you get no ssh access for a short time you can still log in via telnet and check which public key is stored in the nvram.
It's not that complicated ... actually you only have to remove the old fingerprints from the "known_hosts" - then ssh access works.
yep telnet was my plan...
so lets presume my actions..
1. enable telnet (bad idea but for short time)
2. update with no reset
3. try to log in via putty ssh as normal with the present RSA key ( as i said above i dont have keys imported anywhere and every time is like first time log in via ssh) both platforms lin or win..as i use putty on both
4. if ssh not working i can log in via putty telnet and replace ssh key and ssh port in nvram than commit & reboot
5.try to log via ssh as normal...
6.if not it will be a sketchy moment of ship landed on the dark side of the moon
thanks for patience and understanding
p.s. i need to do that update for a couple of routers and that's y im asking for details...
sadly ill be back to those units after a 4 weeks time...and no margin for error... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Fri Nov 18, 2022 16:56; edited 1 time in total
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Nov 18, 2022 17:00 Post subject:
well im doing things over the WAN, so telnet is a bad plan..for remote access as its a crap and not encrypted...so ill need to change the router password after i use it i guess...
as well tatsuya46 mentioned above on that build no telnet whatever that means...
the thing is i dont want to end up with no access to the unit and have telnet over the WAN left on... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Nov 18, 2022 17:07 Post subject:
ho1Aetoo wrote:
Yes I mean only the changes affect only ssh.
Telnet does not use host key etc
i believe i understand this very very well...but if i dont respond in the next 5-10 min than ill be on that dark side of the moon...
thanks anyway... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I'm running linux. It appears that the simplest thing to do is to delete my host file and reconnect to my devices if I run into any connection issues with my xr500. Does that sound right? _________________ Netgear XR500 - Gateway
R6700 v3 - Station Bridge
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Nov 18, 2022 17:54 Post subject:
ho1Aetoo wrote:
the HOST key is the fingerprint of the router.
The host key is only used for identification.....
yep, i very well know about host and public keys...
EUREKA dang... it worked out of the box
login as: root
Pre-authentication banner message from server:
| DD-WRT v3.0-r50906 std (c) 2022 NewMedia-NET GmbH
| Release: 11/18/22
| Board: Netgear R7800
End of banner message from server
Authenticating with public key ......:
so many questions such a trill
thanks for all the assistance
the only change i can see in nvram values is the one i was guessing
sshd_rsa_host_key=
is replaced with
sshd_ed25519_host_key=
unit was updated from 50841 > 50906 with no reset, preserving the old rsa ssh keys and specific ssh port..with nothing that needed to be changed...so far so good, in my case all is working, as it should..... big thanks to all for the patience and support especially ho1Aetoo..i hope you understood the gravity of the situation of no access to unit that i was trilling about...such a suspense and fun
p.s. now im "User Email is detected as Spambot.!" hahaha sweet i cant update my sig... anyway... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Fri Nov 18, 2022 22:44; edited 2 times in total