ssh failing from one dd-wrt device to another

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 265

PostPosted: Mon May 15, 2023 18:50    Post subject: ssh failing from one dd-wrt device to another Reply with quote
Attempts to ssh from my AP (R7000 running r52569) to router (R7000 running r52485) or vice versa are failing with the message: "ssh: Connection to root@[router hostname]:22 exited: No auth methods could be used."

I have generated the ssh keys in the webgui and copied them to each other's Authorized Keys section in the gui.

What could be the issue? It seems things have changed with dd-wrt's ssh configuration with ed25519 now the default instead of the previous rsa.
Sponsor
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 265

PostPosted: Mon May 15, 2023 22:56    Post subject: Reply with quote
A test with rsa worked. I generated rsa keys with "dropbear -t rsa -f /tmp/root/.ssh/id_rsa", copied the public key into the authorized_keys of the other dd-wrt device, and succeeded in connected with "ssh -i /tmp/root/.ssh/id_rsa [hostname]"

I don't know if that key will persist reboots though.

"nvram show | grep ssh" shows only a sshd_ed25519_host_key private key. I don't know where the public key is. "ssh -i /tmp/root/.ssh/ssh_host_ed25519_key [hostname]" does not work.

I also tried converting the OpenSSH sshd_ed25519_host_key private key to dropbear format with "dropbearconvert openssh dropbear sshd_ed25519_host_key dropbear_ed25519_host_key". Then used that private key to obtain the public key with "dropbearkey -y -f dropbear_ed25519_host_key" and saved it locally as well as added the public key to the other device's authorized_keys. But using this identity file did not succeed in an ssh connection: "ssh -i dropbear_ed25519_host_key.pub [hostname]" --> "ssh: Exited: String too long"

I did manage to log into dd-wrt devices with ed25519 keys from my computer. Maybe the issue is due to dd-wrt configuration related to ed25519 vs rsa, and openssh vs dropbear?
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Tue May 16, 2023 4:17    Post subject: Reply with quote
fizikz wrote:
"nvram show | grep ssh" shows only a sshd_ed25519_host_key private key. I don't know where the public key is. "ssh -i /tmp/root/.ssh/ssh_host_ed25519_key [hostname]" does not work.

I also tried converting the OpenSSH sshd_ed25519_host_key private key to dropbear format with "dropbearconvert openssh dropbear sshd_ed25519_host_key dropbear_ed25519_host_key". Then used that private key to obtain the public key with "dropbearkey -y -f dropbear_ed25519_host_key" and saved it locally as well as added the public key to the other device's authorized_keys. But using this identity file did not succeed in an ssh connection: "ssh -i dropbear_ed25519_host_key.pub [hostname]" --> "ssh: Exited: String too long"

ssh_host_ed25519_key is the host key.

You should rename the generated public key to "authorized_keys" in /tmp/root/.ssh, then use the private key to login.

I forgot the new WEBUI steps for this part. Still thinking about command-line.

(And I don't think dropbearkey can generate password-protected private key....)

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue May 16, 2023 9:33    Post subject: Reply with quote
@fizikz

You're doing it wrong...

You have to generate public keys from the private ssh key of the router (ssh_host_ed25519_key) and copy them to the other router in the GUI (Authorized Keys).

Code:
dropbearkey -t ed25519 -y -f ~/.ssh/ssh_host_ed25519_key


then you can connect via the following command

Code:
ssh -i ~/.ssh/ssh_host_ed25519_key root@192.168.1.1


or you copy the hostkey at every router startup

Code:
cp ~/.ssh/ssh_host_ed25519_key ~/.ssh/id_dropbear


then you do not have to specify the key

Code:
ssh root@192.168.1.1


Or you generate new private and public keys then you have to store them on JFFS or USB and copy them to ~/.ssh/id_dropbear at every router reboot.

Code:
dropbearkey -t ed25519 -f /jffs/id_dropbear


Code:
cp /jffs/id_dropbear ~/.ssh/id_dropbear


The last variant is the safe one

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 265

PostPosted: Tue May 16, 2023 19:02    Post subject: Reply with quote
@ho1Aetoo Thanks so much for the examples! It got me unstuck. Although I'm still confused about the difference between ssh_host_ed25519_key and sshd_ed25519_host_key

This worked: simply obtaining from ssh_host_ed25519_key the public key and putting it into the authorized_keys on the other device. I used the webgui to enter and save the public key to make sure dd-wrt persists it in nvram. I did not have to generate a new key pair.

Code:
dropbearkey -y -f /tmp/root/.ssh/ssh_host_ed25519_key


Then ssh succeeds with:
Code:
ssh -i /tmp/root/.ssh/ssh_host_ed25519_key [server]


One thing is that the known_hosts file is not persistent over reboots, and I see no way to specify the server's fingerprint as an option to ssh to avoid the interactive question. So either the fingerprint has to be accepted manually, or the fingerprint can be unconditionally accepted (ugh) with the -y flag.

---

A bit of an aside, but I noticed a few options under the Services tab in the Key Handling section of the webgui that I don't recognize from older builds:

- Replace Existing Key(s) (enable/disable radio button)
- Generate Key (button)
- Download Private Key (button)

What exactly do these do? Especially the first one.
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1900

PostPosted: Tue May 16, 2023 19:25    Post subject: Reply with quote
Consider the help section on the right-hand side of the webUI page...

Replacing keys is most likely to replace the keys already on the router...

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Wed May 17, 2023 7:10    Post subject: Reply with quote
fizikz wrote:
@ho1Aetoo Thanks so much for the examples! It got me unstuck. Although I'm still confused about the difference between ssh_host_ed25519_key and sshd_ed25519_host_key

This worked: simply obtaining from ssh_host_ed25519_key the public key and putting it into the authorized_keys on the other device. I used the webgui to enter and save the public key to make sure dd-wrt persists it in nvram. I did not have to generate a new key pair.

Code:
dropbearkey -y -f /tmp/root/.ssh/ssh_host_ed25519_key


Then ssh succeeds with:
Code:
ssh -i /tmp/root/.ssh/ssh_host_ed25519_key [server]


One thing is that the known_hosts file is not persistent over reboots, and I see no way to specify the server's fingerprint as an option to ssh to avoid the interactive question. So either the fingerprint has to be accepted manually, or the fingerprint can be unconditionally accepted (ugh) with the -y flag.

---

A bit of an aside, but I noticed a few options under the Services tab in the Key Handling section of the webgui that I don't recognize from older builds:

- Replace Existing Key(s) (enable/disable radio button)
- Generate Key (button)
- Download Private Key (button)

What exactly do these do? Especially the first one.


Replace Existing Key(s) = replaces the keys stored in the GUI under "authorized keys"
Generate Key = generates a public ed25119 key which is entered under "authorized keys" and a private key which can be downloaded
Download Private Key = downloads the generated private key

The GUI configuration is only for the SSH server, for the client functionality there are no settings.

_________________
Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)

Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 265

PostPosted: Wed May 17, 2023 18:05    Post subject: Reply with quote
ho1Aetoo wrote:

Replace Existing Key(s) = replaces the keys stored in the GUI under "authorized keys"

Replaces them with what? Why would this feature be useful compared to just removing or adding the desired authorized keys in the text field below it?
ho1Aetoo wrote:
Generate Key = generates a public ed25119 key which is entered under "authorized keys" and a private key which can be downloaded
Download Private Key = downloads the generated private key

Thanks, I wish the help section on the page said that. What is the purpose of downloading the private key? Backup? Though I see no way to restore it through the webgui.

ho1Aetoo wrote:
The GUI configuration is only for the SSH server, for the client functionality there are no settings.

Very useful to know, thanks again.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Thu May 18, 2023 17:08    Post subject: Reply with quote
The convention is that the private key is used by the client, and the corresponding public key is used by the server. So the client needs a copy of the private key, which on a linux client goes in ~/.ssh/id_rsa with permissions restricted to the user.
_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
fizikz
DD-WRT User


Joined: 10 Nov 2016
Posts: 265

PostPosted: Thu May 18, 2023 18:06    Post subject: Reply with quote
SurprisedItWorks wrote:
The convention is that the private key is used by the client, and the corresponding public key is used by the server. So the client needs a copy of the private key, which on a linux client goes in ~/.ssh/id_rsa with permissions restricted to the user.


Oh, I think I get it now. The key generating, authorized key replacement, and private key download options are for the ease of setting up ssh access for client devices to the dd-wrt device.

Normally I think of generating the keys on the client and then copying the public key to the server. Plus I was trying to set up the dd-wrt device as a client as well as server, so I think that's where the confusion came from.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Fri May 19, 2023 2:26    Post subject: Reply with quote
Exactly!

(Fine point: I mentioned where the client's private key goes in linux, but that was for an RSA key in particular. A bit old school these days. Have to read up on the currently preferred key type!)
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Sat May 20, 2023 8:06    Post subject: Reply with quote
SurprisedItWorks wrote:
Exactly!

(Fine point: I mentioned where the client's private key goes in linux, but that was for an RSA key in particular. A bit old school these days. Have to read up on the currently preferred key type!)

I am still using old school RSA. Smile

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum