Reply
New Member
Posts: 5
Registered: ‎04-15-2018

Adding a YubiKey SSH public key to Edgerouter throws an error

Hey guys, 

 

I'm trying to setup my 2 Edgerouter Infinity to SSH authentication with YubiKey public keys.

 

Unfortunately, it wont accept the keys.

 

Either on the GUI or on the CLI it says "specified configuration is not valid" 

 

set system login user admin authentication public-keys admin key ssh-rsa AAAAB3NzaC1yc2BAQDFlJc/rqUpTnoT/EHCvkeBeJ7/+l5Yk....HfWMdsq5j cardno:0006....066
The specified configuration node is not valid

It tried with and without the "ssh-rsa" bit as well as with and without the "cardno: ... " part. I also tried the good old

ssh-copy-id

but none of that works and I'm running out of ideas.

Senior Member
Posts: 3,234
Registered: ‎08-06-2015
Kudos: 1383
Solutions: 186

Re: Adding a YubiKey SSH public key to Edgerouter throws an error

 

This works for me:

 

set system login user admin authentication public-keys admin@host key "<publickeyhere>"

 

You would not include the "cardno" - just the public key itself.  If the key is not a valid public key it will not be accepted.

New Member
Posts: 5
Registered: ‎04-15-2018

Re: Adding a YubiKey SSH public key to Edgerouter throws an error

I got it working. The first problem was indeed having "ssh-rsa" and "cardno:..." included in the key. But after removing that it still wouldnt accept the commit. Reason was that despite setting ssh to not accept password authentication, EdgeOS still forces you to set a password. So the individual commands work, but the commit fails.

 

So the red lines are important even if you do not intend to log in with a password:

 

 

set system login user admin authentication encrypted-password '$6$1EG...be1'
set system login user admin authentication plaintext-password ''
set system login user admin authentication public-keys admin key AAAAB3Nz....fWMdsq5j
set system login user admin authentication public-keys admin type ssh-rsa
set system login user admin level admin
set service ssh disable-password-authentication
set service ssh protocol-version v2

 

 

New Member
Posts: 16
Registered: ‎04-30-2018
Kudos: 1

Re: Adding a YubiKey SSH public key to Edgerouter throws an error

Yeah, sshd by default has 'PermitEmptyPassword' set to no.  These days doesn't make sense to have password-less accounts, where if accessed non-ssh login....it'll let you in without prompting for anything further...

 

Also the commit def checks that "user password must be specified" is met.

Reply