Posted: Mon May 15, 2023 18:50 Post subject: ssh failing from one dd-wrt device to another
Attempts to ssh from my AP (R7000 running r52569) to router (R7000 running r52485) or vice versa are failing with the message: "ssh: Connection to root@[router hostname]:22 exited: No auth methods could be used."
I have generated the ssh keys in the webgui and copied them to each other's Authorized Keys section in the gui.
What could be the issue? It seems things have changed with dd-wrt's ssh configuration with ed25519 now the default instead of the previous rsa.
A test with rsa worked. I generated rsa keys with "dropbear -t rsa -f /tmp/root/.ssh/id_rsa", copied the public key into the authorized_keys of the other dd-wrt device, and succeeded in connected with "ssh -i /tmp/root/.ssh/id_rsa [hostname]"
I don't know if that key will persist reboots though.
"nvram show | grep ssh" shows only a sshd_ed25519_host_key private key. I don't know where the public key is. "ssh -i /tmp/root/.ssh/ssh_host_ed25519_key [hostname]" does not work.
I also tried converting the OpenSSH sshd_ed25519_host_key private key to dropbear format with "dropbearconvert openssh dropbear sshd_ed25519_host_key dropbear_ed25519_host_key". Then used that private key to obtain the public key with "dropbearkey -y -f dropbear_ed25519_host_key" and saved it locally as well as added the public key to the other device's authorized_keys. But using this identity file did not succeed in an ssh connection: "ssh -i dropbear_ed25519_host_key.pub [hostname]" --> "ssh: Exited: String too long"
I did manage to log into dd-wrt devices with ed25519 keys from my computer. Maybe the issue is due to dd-wrt configuration related to ed25519 vs rsa, and openssh vs dropbear?
Joined: 26 Mar 2013 Posts: 1858 Location: Hung Hom, Hong Kong
Posted: Tue May 16, 2023 4:17 Post subject:
fizikz wrote:
"nvram show | grep ssh" shows only a sshd_ed25519_host_key private key. I don't know where the public key is. "ssh -i /tmp/root/.ssh/ssh_host_ed25519_key [hostname]" does not work.
I also tried converting the OpenSSH sshd_ed25519_host_key private key to dropbear format with "dropbearconvert openssh dropbear sshd_ed25519_host_key dropbear_ed25519_host_key". Then used that private key to obtain the public key with "dropbearkey -y -f dropbear_ed25519_host_key" and saved it locally as well as added the public key to the other device's authorized_keys. But using this identity file did not succeed in an ssh connection: "ssh -i dropbear_ed25519_host_key.pub [hostname]" --> "ssh: Exited: String too long"
ssh_host_ed25519_key is the host key.
You should rename the generated public key to "authorized_keys" in /tmp/root/.ssh, then use the private key to login.
I forgot the new WEBUI steps for this part. Still thinking about command-line.
(And I don't think dropbearkey can generate password-protected private key....) _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
You have to generate public keys from the private ssh key of the router (ssh_host_ed25519_key) and copy them to the other router in the GUI (Authorized Keys).
@ho1Aetoo Thanks so much for the examples! It got me unstuck. Although I'm still confused about the difference between ssh_host_ed25519_key and sshd_ed25519_host_key
This worked: simply obtaining from ssh_host_ed25519_key the public key and putting it into the authorized_keys on the other device. I used the webgui to enter and save the public key to make sure dd-wrt persists it in nvram. I did not have to generate a new key pair.
One thing is that the known_hosts file is not persistent over reboots, and I see no way to specify the server's fingerprint as an option to ssh to avoid the interactive question. So either the fingerprint has to be accepted manually, or the fingerprint can be unconditionally accepted (ugh) with the -y flag.
---
A bit of an aside, but I noticed a few options under the Services tab in the Key Handling section of the webgui that I don't recognize from older builds:
Consider the help section on the right-hand side of the webUI page...
Replacing keys is most likely to replace the keys already on the router... _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
@ho1Aetoo Thanks so much for the examples! It got me unstuck. Although I'm still confused about the difference between ssh_host_ed25519_key and sshd_ed25519_host_key
This worked: simply obtaining from ssh_host_ed25519_key the public key and putting it into the authorized_keys on the other device. I used the webgui to enter and save the public key to make sure dd-wrt persists it in nvram. I did not have to generate a new key pair.
One thing is that the known_hosts file is not persistent over reboots, and I see no way to specify the server's fingerprint as an option to ssh to avoid the interactive question. So either the fingerprint has to be accepted manually, or the fingerprint can be unconditionally accepted (ugh) with the -y flag.
---
A bit of an aside, but I noticed a few options under the Services tab in the Key Handling section of the webgui that I don't recognize from older builds:
What exactly do these do? Especially the first one.
Replace Existing Key(s) = replaces the keys stored in the GUI under "authorized keys"
Generate Key = generates a public ed25119 key which is entered under "authorized keys" and a private key which can be downloaded
Download Private Key = downloads the generated private key
Replace Existing Key(s) = replaces the keys stored in the GUI under "authorized keys"
Replaces them with what? Why would this feature be useful compared to just removing or adding the desired authorized keys in the text field below it?
ho1Aetoo wrote:
Generate Key = generates a public ed25119 key which is entered under "authorized keys" and a private key which can be downloaded
Download Private Key = downloads the generated private key
Thanks, I wish the help section on the page said that. What is the purpose of downloading the private key? Backup? Though I see no way to restore it through the webgui.
ho1Aetoo wrote:
The GUI configuration is only for the SSH server, for the client functionality there are no settings.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Thu May 18, 2023 17:08 Post subject:
The convention is that the private key is used by the client, and the corresponding public key is used by the server. So the client needs a copy of the private key, which on a linux client goes in ~/.ssh/id_rsa with permissions restricted to the user. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
The convention is that the private key is used by the client, and the corresponding public key is used by the server. So the client needs a copy of the private key, which on a linux client goes in ~/.ssh/id_rsa with permissions restricted to the user.
Oh, I think I get it now. The key generating, authorized key replacement, and private key download options are for the ease of setting up ssh access for client devices to the dd-wrt device.
Normally I think of generating the keys on the client and then copying the public key to the server. Plus I was trying to set up the dd-wrt device as a client as well as server, so I think that's where the confusion came from.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri May 19, 2023 2:26 Post subject:
Exactly!
(Fine point: I mentioned where the client's private key goes in linux, but that was for an RSA key in particular. A bit old school these days. Have to read up on the currently preferred key type!)
Joined: 26 Mar 2013 Posts: 1858 Location: Hung Hom, Hong Kong
Posted: Sat May 20, 2023 8:06 Post subject:
SurprisedItWorks wrote:
Exactly!
(Fine point: I mentioned where the client's private key goes in linux, but that was for an RSA key in particular. A bit old school these days. Have to read up on the currently preferred key type!)
I am still using old school RSA. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!