Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Emerging Member
Posts: 63
Registered: ‎05-02-2013
Kudos: 30
Solutions: 2
Accepted Solution

ssh authorized_keys

Hi, Just got my ERL the other day and so far it is running well.

 

I usually use passwordless ssh and yet when I went to set the same thing up on the ERL it is still prompting for a password. Is there a proper method of accomplishing this for the ERL written somewhere?

 

I also installed nano. Will my changes (passwordless ssh and packages) persist reboot/upgrade? 

 

Also, how do I turn on tab autocompletion for shell/cli?

 

Thanks 


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5373
Solutions: 1655
Contributions: 2

Re: ssh authorized_keys

Yes the public key can be set in the configuration using the settings under "system login user <username> authentication public-keys". There is also a "loadkey" command that takes the public key file and sets the settings automatically. For example, copy the public key file to the router (e.g., "/tmp/ubnt.pub") and then (in configure mode) use this command to set the key for user "ubnt":

 

root@ubnt# loadkey ubnt /tmp/ubnt.pub                                            
Done                                                                            
[edit]                                                                          
root@ubnt# show system login user ubnt                                          
 authentication {                                                               
     encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.                      
     public-keys ubnt@host {                                               
         key ...
         type ssh-rsa                                                           
     }                                                                          
 }                                                                              
 level admin                                                                    
[edit]                                                                          
root@ubnt#

 

Since this is part of the configuration, it persists across both reboots and upgrades. As discussed in other threads, added packages etc. persist across reboots (but not upgrades, you would need to add custom scripts etc.).

 

For non-root users, tab completion is enabled only for the router commands (e.g., "show", "set", etc.). If you want the full completions like a regular shell, you can switch to the root user (e.g., "sudo -i" to get a root shell) or add "source /etc/bash_completion" to your ".bashrc".

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5373
Solutions: 1655
Contributions: 2

Re: ssh authorized_keys

Yes the public key can be set in the configuration using the settings under "system login user <username> authentication public-keys". There is also a "loadkey" command that takes the public key file and sets the settings automatically. For example, copy the public key file to the router (e.g., "/tmp/ubnt.pub") and then (in configure mode) use this command to set the key for user "ubnt":

 

root@ubnt# loadkey ubnt /tmp/ubnt.pub                                            
Done                                                                            
[edit]                                                                          
root@ubnt# show system login user ubnt                                          
 authentication {                                                               
     encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.                      
     public-keys ubnt@host {                                               
         key ...
         type ssh-rsa                                                           
     }                                                                          
 }                                                                              
 level admin                                                                    
[edit]                                                                          
root@ubnt#

 

Since this is part of the configuration, it persists across both reboots and upgrades. As discussed in other threads, added packages etc. persist across reboots (but not upgrades, you would need to add custom scripts etc.).

 

For non-root users, tab completion is enabled only for the router commands (e.g., "show", "set", etc.). If you want the full completions like a regular shell, you can switch to the root user (e.g., "sudo -i" to get a root shell) or add "source /etc/bash_completion" to your ".bashrc".

Emerging Member
Posts: 63
Registered: ‎05-02-2013
Kudos: 30
Solutions: 2

Re: ssh authorized_keys

[ Edited ]

Thanks, I got it set.  Took a couple tries and

set service ssh disable-password-authentication

 

 I didn't see the wiki page at the time. http://wiki.ubnt.com/Access_Using_SSH

Established Member
Posts: 1,164
Registered: ‎08-17-2010
Kudos: 212
Solutions: 19

Re: ssh authorized_keys

I know this is a bit old now, but does:

 

set service ssh disable-password-authentication

disable password auth for all users or just the logged in user?

 

SuperUser
Posts: 17,828
Registered: ‎09-17-2013
Kudos: 4452
Solutions: 1252

Re: ssh authorized_keys

looks like it's global.

 

set system login user testuser authentication plaintext-password  password
commit
exit
exit

followed by

$ ssh testuser@router
Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

Enter passphrase for key '.ssh/id_rsa':
Permission denied (publickey).

 

Established Member
Posts: 1,164
Registered: ‎08-17-2010
Kudos: 212
Solutions: 19

Re: ssh authorized_keys

@dpurgert I got the same thing. Just created a new feature request, please go vote for.

 

http://community.ubnt.com/t5/EdgeMAX-Feature-Requests/ssh-keys-by-user-not-global/idi-p/1365916

 

New Member
Posts: 1
Registered: ‎10-09-2015

Re: ssh authorized_keys

This doesn't seem to work on EdgeRouter X models. How would one perform similar actions on those models?

 

I have tried the following:

 

root@ubnt:~# loadkey
-bash: loadkey: command not found

 

root@ubnt:~# show system login user ubnt
Invalid command

 

Thanks.

Established Member
Posts: 952
Registered: ‎10-01-2014
Kudos: 450
Solutions: 45

Re: ssh authorized_keys

Did you run configure first, before you ran those commands?
Please help the community find useful posts and solutions by using the "Kudos" and "Accept as Solution" buttons!
Emerging Member
Posts: 63
Registered: ‎05-02-2013
Kudos: 30
Solutions: 2

Re: ssh authorized_keys

[ Edited ]

To allow multiple different users to login to the same username via PubkeyAuthentication, normally you would just append each users public key onto  /home/<username>/.ssh/authorized_keys

 

WRT edgerouter sshd, you can rerun the loadkey command in cli against each key and it will append it for you.

 

If you want anyone to be able to login via password, then you can't disable it. It's all controlled through /etc/ssh/sshd_config and the cli commands are just shorthand to editing that afaik

New Member
Posts: 16
Registered: ‎01-10-2016
Kudos: 4

Re: ssh authorized_keys

These commands must be executed in 'configure' mode.

Regular Member
Posts: 687
Registered: ‎03-02-2016
Kudos: 174
Solutions: 54

Re: ssh authorized_keys

[ Edited ]

For some reason I can't login to my ERX SFP using a key file. Putty complains that no supported auth methods are available and says the server sent only "publickey". I have the corresponding private key file in Putty's "auth" page. It works just fine for my Tomato routers and my Ubuntu machine.

 

 

ubnt@ubnt# show system login user david
authentication {
encrypted-password $6$LpluaXuxx$W5.WV.9ov6S8znGVJXhOz8FDOTSaJ0dPCw0Fholhz6waRupJF45Hw5BNn2ZbH0fEMs9ZMxNpsHnG4q5B9smmr1
plaintext-password ""
public-keys tomatoHome4096_20131118 {
key AAAAB3NzaC1yc2EAAAABJQAAAgEArpYndSWfVc6i90jFNxCFxED9pAW+CV7rWQGqKQGGMoALe+Ay5xDTpzkfwbWRQpEnipC8RQ7iB1EKCYEnI4ARnKlY3N54y1GoMC5WQiA3xIUnil6hqRix2Jl+1OEeK8AaFBGvRb0cFXVXhQZTmHYCUnDBM/15EbBSgSENl2XP6SndoA8Ri/6CljntM96m5QRqP+moznnL1sot8XdpSxH3nxv0AHy9H9cOcGC8bnO2oc9+g6t5A/zHJnGRKzzPZ+wMWF0lWJq/D7FWd3M11zRjMomApAMaR2Z+XiA3z0dabTT3Q8yMcDPKKgCQOjSKaJIo1gi83GlJhsM/1wP5NBQ+vlMlGe0s/LwcFOFwWiUoku6otu2fMb9YUiv8nKRSbPwgZSrYasQI+tC/ZEWYRI6HKDw8kRj5b8dIOJ7ByM58AHk1DIvL3AmML34da6nxfasgltXX27tvR99u/D+x5woTYe2nK/h6hfvqnO5dVhjc7kcHfIYCY6tkC13NwMqEWNLhHOAYQe3sX82s5ikmdaB01GCOYu6GSOrjhTsRHTBvVETfNHu4/fk5N4opo1Rx/i9FDZOzzqV0UsVatO3NyMJ1xEV+NK4dS1daj1bBpbu7ShHZChbtamrmJvWPNSelQwrf77sghl+HOqzK0d8dIuf+tO5LuPrHTZ3SgypUIezkIz8=
type ssh-rsa
}
}
level admin

 

At first I thought it might have something to do with changing the key's comment to remove spaces (so loadkey would accept it), but after saving a private key without the spaces it makes no difference. I'm sure it's something stupid. Any ideas?

 

(I'm just playing around with this router at the moment, so no worries about data security in the above)

SuperUser
Posts: 17,828
Registered: ‎09-17-2013
Kudos: 4452
Solutions: 1252

Re: ssh authorized_keys

[ Edited ]

have you imported the right private key into PuTTY (i've done the 'import the wrong key' bit before ...)

Regular Member
Posts: 687
Registered: ‎03-02-2016
Kudos: 174
Solutions: 54

Re: ssh authorized_keys

Yes, it's always been in there. It's an SSH keypair I use for a variety of servers. Works just fine with every other connection.

 

I created a new connection in Putty, just to be sure, and added everything in from scratch. Putty's event log shows it's offering the key and the ER is refusing it. I'm baffled. This should be really, really simple. So either I'm missing something big or there is a serious problem with EdgeOS. I am leaning toward the former, but have no idea what it could be.

 

From Putty's log:

2016-05-23 18:52:24	Reading private key file "C:\Documents and Settings\david\My Documents\ssh\tomato home 4096 20131118.ppk"
2016-05-23 18:52:25	Offered public key
2016-05-23 18:52:25	Server refused our key
2016-05-23 18:52:25	Disconnected: No supported authentication methods available (server sent: publickey)
SuperUser
Posts: 17,828
Registered: ‎09-17-2013
Kudos: 4452
Solutions: 1252

Re: ssh authorized_keys

are you supplying the login info as "user@host"?

IIRC, I had to do that with PuTTY as well ... but I've since formatted and upgraded to Linux ...

Regular Member
Posts: 687
Registered: ‎03-02-2016
Kudos: 174
Solutions: 54

Re: ssh authorized_keys

[ Edited ]

Interesting. Just tried that, and same thing:

 

login as: david@ubnt
Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

Server refused our key

Also worth noting this is an otherwise straight-out-of-the-box router.

 

Edit: just tried creating a totally new 2048 bit key pair. No luck.

 

Edit 2: Also tried adding the public key to the ubnt user's profile with loadkey. No luck either. Man Sad

Regular Member
Posts: 687
Registered: ‎03-02-2016
Kudos: 174
Solutions: 54

Re: ssh authorized_keys

Update: figured it out. The home directory for the user david was not owned by the user. It was owned by uid 1001 - not sure what that was. 

 

This post helped me: https://community.ubnt.com/t5/EdgeMAX/SSH-key-refused-even-though-it-s-the-right-key/m-p/1453343#M94...

Established Member
Posts: 1,245
Registered: ‎05-03-2016
Kudos: 420
Solutions: 119

Re: ssh authorized_keys


gfunkdave wrote:

Update: figured it out. The home directory for the user david was not owned by the user. It was owned by uid 1001 - not sure what that was. 

 

This post helped me: https://community.ubnt.com/t5/EdgeMAX/SSH-key-refused-even-though-it-s-the-right-key/m-p/1453343#M94...


The uid problem can occur if you ever recreated the user. If, for example, you created the user, then had to reset to use a wizard, and then created the same user again. The user is recreated with a new uid but the home dir never got deleted and instead was reused without changing the uid of the original owner on it. If you look in /etc/passwd most likely your uid is now 1002.

New Member
Posts: 16
Registered: 4 weeks ago

Re: ssh authorized_keys

not only did i have the bad userid problem, but the ~/.ssh had the wrong perms, as did ~/.ssh/authorized_keys. easy to hack once i found it; used cli in the web gooey.
Reply