Posted: Thu Jun 08, 2023 1:12 Post subject: trouble ssh'ing into my machine
I enabled SSH, and pasted my public key. I saved and applied my settings. My public key does start with "ssh-rsa". When I attempt to ssh into my dd-wrt box with my private key, it fails. Any ideas what could be going wrong?
DD-WRT no longer uses rsa keys. It was changed to ed25519 some time ago. Also, it's usually best to reboot the router when you enable key-based authentication. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Thu Jun 08, 2023 4:48 Post subject:
dale_gribble39 wrote:
DD-WRT no longer uses rsa keys. It was changed to ed25519 some time ago. Also, it's usually best to reboot the router when you enable key-based authentication.
You can still use RSA, but not with WEBUI.
Back to the WEBUI way (ed25519/EdDSA keys): it did work, but not without some strangeness. I haven't retried it to find out why. Give WEBUI some time to reload and restart things. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
DD-WRT no longer uses rsa keys. It was changed to ed25519 some time ago. Also, it's usually best to reboot the router when you enable key-based authentication.
You can still use RSA, but not with WEBUI.
Back to the WEBUI way (ed25519/EdDSA keys): it did work, but not without some strangeness. I haven't retried it to find out why. Give WEBUI some time to reload and restart things.
I use my old RSA keys just fine via the webui running build 52459.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Thu Jun 08, 2023 11:54 Post subject:
ho1Aetoo wrote:
and what is that good for?
ed25119 keys can be generated comfortably in the Router GUI if you don't have ssh-keygen or puttygen.
EcDSA keys are shorter than RSA keys in general, more correctly have fixed length. I suppose they are more vulnerable to brute force attack (combinations hack)??
3072-bit or more RSA keys are longer. But short keys of course have its uses. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Thu Jun 08, 2023 12:15 Post subject:
droidus wrote:
I generated my keys, and am getting this error message:
Load key "./ed25519_private_key.pem": invalid format
Here's how I generated them:
openssl genpkey -algorithm ed25519 -out private_key.pem
openssl pkey -in private_key.pem -pubout -out public_key.pem
This is the part I don't quite understand! That's why I said "strangeness".
I suppose private_key.pem should be stored at your client side, while public_key.pem should be stored as ~/.ssh/authorized_keys in DD-WRT. You can do the later via NVRAM variable "sshd_authorized_keys", which is how the WEBUI function works. Just run the command "nvram show | grep ssh" to find related variables.
There are other methods of course. Just use imagination.
I really think the file extension ".pem" is too vague. It could mean many things, especially when you wanna use certificates.
Ed25519 is considered to be secure (similar difficulty to breaking a ~3000-bit RSA key).
Creating a new signature with Ed25519 does not require a random input. This is very desirable from a security perspective (see the Playstation3 hack above...).
Ed25519 is resilient to hash-function collisions. This is good because it provides some additional protection in case the selected hash function contained some weakness.
Ed25519 is immune to cache-timing attacks, hyperthreading attacks, and other side-channel attacks that rely on leakage of addresses through the CPU cache. This is also very desirable from a security perspective.
Ed25519 does not use secret branch conditions, i.e., it is immune to side-channel attacks that rely on leakage of information through the branch-prediction unit.
droidus wrote:
What good is what for? It was mentioned to use ed25519 keys instead of rsa....
As I wrote before, RSA encryption can still be used, but the SSH client must be able to handle both RSA and! ed25519 (since the router fingerprint uses ed25519).
And as I wrote before you can easily create an ed25519 key pair in the router GUI (generate and download keys) if you don't have ssh-keygen or puttygen.
Well, I am using ed25519 keys, for now. I saved, applied the settings, and rebooted the machine, and it still fails to connect with the same error message.
Joined: 26 Mar 2013 Posts: 1857 Location: Hung Hom, Hong Kong
Posted: Thu Jun 08, 2023 12:42 Post subject:
droidus wrote:
Well, I am using ed25519 keys, for now. I saved, applied the settings, and rebooted the machine, and it still fails to connect with the same error message.
You have to reboot the router per dale_gribble39 said, because converting NVRAM varaible sshd_authorized_keys to ~/.ssh/authorized_keys happens only during startup(??).
Be a bit patient... I can tell you that Windows 10's built-in OpenSSH works fine with the ed25519 key generated by DD-WRT. But there was some strangeness the last time I tried it. I have yet to attempt it again to find out why. I have since forgot about the steps I took. _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!