SSH access for newcomers

Trying to add keys for auto-login during SSH connection. Tried following the subject tutorial but quickly ran into problems.

Public Key that LUCI will accept: Could not add public key to device using LUCI. Error Msg: "The given SSH public key is invalid. Please supply proper public RSA, ED25519 or ECDSA keys." The tutorial does not specify which encryption algorithm to select when generating keys using PuttyGen. First attempt to find a public key LUCI would accept was using RSA. Failing that, tried again using ED25519. Still, not acceptable to LUCI.

Is this a LUCI issue? I'm inclined to think not given the lack of forum material covering the topic.
Is there related but important info missing from the tutorial that would make this all work as intended?

Plz advise...

Make sure you are pasting the public key into the LuCI box. In Puttygen, it’s listed in the box ‘Public key for pasting into OpenSSH authorized_keys file’

It should start with ssh-rsa


Hello and thx for replying. The LUCI prompt (light grey text in field) states to "Paste or drag SSH Key file". A file differs from a text string so therein lay part of the tutorial issue.
One small step... but after pasting the text string from PuttyGen LUCI still isn't happy. In a large yellow-ish field at the top of the page are the words "Unspecified error". Hmm...

Interesting paradox - using Putty config'd to use the brand spanking new ED25519 keys the handshake fails with "Server refused our key". However, logon using SSH from the Windows CMD terminal generates a trust warning/prompt about the new key. A 'yes' reply adds the key to the known hosts list. However, upon running command
dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key
the displayed result is still the old RSA key and not the new ED25519 so WTH is wrong!? The public key is located in /etc/dropbear/authorized_keys.

root@Router-Downstairs:/etc/dropbear/authorized_keys# ls -l -d
drw-------    2 root     root           232 Dec 11 18:14 .
root@Router-Downstairs:/etc/dropbear/authorized_keys# ls -l
-rw-r--r--    1 root     root           163 Dec 11 18:37

FWIW the device is a Linksys EA8300 running fresh, basic OW 22.03.2 which replaced the OEM factory firmware.

Finally, etc/dropbear contains the following and from where they originated I do not know. I have to assume they arrived with OW 22.03.2.

root@Router-Downstairs:/etc/dropbear# ls -l
drw-------    2 root     root           232 Dec 11 18:14 authorized_keys
-rw-------    0 root     root            83 Oct 14 15:44 dropbear_ed25519_host_key
-rw-------    0 root     root           805 Oct 14 15:45 dropbear_rsa_host_key

So frustrating, this is.

authorized_keys is a file, not a directory. Somehow you ended up with a directory, so Luci cannot create the file with the same name. Remove the directory and try Luci again.


cat /etc/dropbear/authorized_keys/ > /etc/dropbear/authorized_keys.tmp
rm -rf /etc/dropbear/authorized_keys
mv /etc/dropbear/authorized_keys.tmp /etc/dropbear/authorized_keys
chmod 600 /etc/dropbear/authorized_keys
ls -laR /etc/dropbear/

Doh! :astonished:
OK, LUCI is happy now and I'm feeling a little better too. :slightly_smiling_face:

I still have some niggling tweaks to figure out to ensure password prompt is not required.

Thank you! :face_with_monocle:

Suggested re-write of the Putty section:

PuTTY gives you command-line access to OpenWrt.

  1. Download PuTTY, get the 32bit PuTTY.exe from the Alternative binary files section.

  2. Start PuTTY.exe on your Windows client → PuTTY's login window pops up.

  3. Go to the Session category of PuTTY's login window, look for the field Host Name (or IP address) and simply enter the IP-address (e.g. of your OpenWRT device. Keep the default provided port 22.

4 Setting up key-based authentication. Refer to the PuTTYgen image below during these next steps.

4.a. With PuTTY you should also have an app named PuTTYgen.exe. Start PuTTYgen. Notice that "RSA" is already pre-selected as the default encryption algorithm and is acceptable to leave as is.

4.b. Press the "Generate" button. You'll be prompted to randomly move your mouse around inside of Puttygen to seed the new encryption keys. This will generate a Public and Private keyed pair.

4.c. Next, on your OpenWRT device's LUCI webpage navigate to System → Administration → SSH Access tab. Back at PuTTYgen, select all the text from the large text field labeled "Public key for pasting into OpenSSH authorized_keys file:" and paste it into the OpenWRT field with the light grey text that reads "Paste or drag SSH file...". Click the adjacent "Add key" button. This will add your Public key to OpenWRT's recognized hosts list.

4.d. Within PuTTYgen select the "Save private key" button to store your Private key to a secure location of your choosing. Note the location you save it to because you'll need this location a few steps from now. You may also save your Public key at this time. Recommend keeping it separate from the Private key. We're done with PuTTYgen so you can close PuTTYgen at this time.


  1. Back at Putty (not PuTTYgen), select Connection → SSH → Auth. Click the "Browse..." button and navigate to the location of your Private key that you saved in Step 4.d above. Select your Private key and click Open.

  2. In Putty navigate to Connection → Data and in the Auto-login username field enter "root" (without the quotes).

  3. In Putty's navigation tree select Session from the top of the tree. In the 'Saved Sessions' field, give this connection a suitable name, e.g., OpenWRT.lan, and click Save.

  4. You're now ready to connect to your OpenWRT device. Click the Open button at the bottom of the PuTTY app to open this connection. This will pop up a shell window prompting for your OpenWRT password. If you have not yet set a password hit Enter at the prompt. FYI - to set the password from within OpenWRT using LUCi navigate to System -> Administration -> OpenWRT Password.

  5. Done, you are logged into the OpenWrt command line.

Automating connections: To make a PuTTY shortcut with an automatic login, create one and append the saved session with an @ sign, for example call PuTTY with: putty.exe @OpenWRT.lan

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.