Ssh by private key failed after sysupgrade the system

ryanking8215 · September 21, 2020, 12:00pm

I put a public key in file "/etc/dropbear/authorize_key", and can use private key to ssh to the openwrt system.

But after I sysupgrade the system by using "sysupgrade xxx.bin" , I can't ssh by private key. It said "Permission denied(publickey)". I tried to ssh on system by password, and check the files in /etc/dropbear that are not be modified.

I tried to clear the file "/etc/dropbear/dropbear_rsa_host_key" and restart the dropbear service, which can make ssh successfully again.

I know /lib/upgrade/keep.d/ will keep the files in /etc/dropbear/, but I don't understand why ssh failed after sysupgrading, the files in /etc/dropbear/ are not changed.

Is there anyone know about this? Thanks!

vgaetera · September 21, 2020, 12:27pm

Perhaps you forgot to specify the login name for root.
SSH uses your active user name by default, which apparently doesn't exist or isn't configured for key-based authentication on the destination host.

trendy · September 21, 2020, 9:49pm

You configured the key in the wrong place. It should be in authorized_keys not dropbear_rsa_host_key.

vgaetera · September 21, 2020, 10:04pm

But still wrong.

ryanking8215 · September 22, 2020, 1:03am

Sorry, it's typo in the post.
I put right file on the system, it is authorized_keys that's why I can ssh by private key at first.

I mean after sysupgrading, /etc/dropbear are kept, but ssh by private key is failed.
But once I clear the file /etc/dropbear/dropbear_rsa_host_key and restart dropbear (which will generate a new dropbear_rsa_host_key), I can ssh by private key again.

I wonder why the files kept but ssh fails, am I missing something I don't know.

hnyman · September 22, 2020, 3:52am

Possibly your old host key was generated by an algorithm that has already been deprecated and is not supported with the current dropbear or your SSH client. Something like that (as regenerating the host key fixes things).

ryanking8215 · September 22, 2020, 6:37am

Thanks for the reply.
I guess you are right. I have a workaround solution that delete the "/etc/dropbear/" entry in '/lib/upgrade/keep.d", which will delete the old rsa_host_key file and make dropbear generate new dropbear_rsa_host_key after sysupgrading.

But I still wonder why and what makes the old host key be deprecated after sysupgrading. If I keep the authorized_key and dropbear_rsa_host_key during sysupgrading, I guess it is like a normal reboot for dropbear, its configuration files are not changed and application(dropbear) is still not be changed.

tmomas · September 22, 2020, 9:58am

From which to which OpenWrt release have you sysupgraded?

ryanking8215 · September 22, 2020, 10:01am

from 19.07.2 to 19.07.2

The same image

anomeome · September 22, 2020, 3:35pm

Check ifupgrade changes access permissions of files in /etc/dropbear

ryanking8215 · September 23, 2020, 1:15am

Awesome! You're right!

I use image-builder to generate image, and apply my custom files, I put the authorized_keys file to /etc/dropbear, and forget to adjust the permission of the directory which should be 0700.

I solved it yesterday, haven't posted here in time.

Thank you all again.

trendy · September 23, 2020, 6:54am

The etc/dropbear dir can be 755, the authorized_keys file can be 644 and it will still work. It also depends if users other than root are loging in.

system · October 3, 2020, 6:54am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.