Ssh by private key failed after sysupgrade the system

I put a public key in file "/etc/dropbear/authorize_key", and can use private key to ssh to the openwrt system.

But after I sysupgrade the system by using "sysupgrade xxx.bin" , I can't ssh by private key. It said "Permission denied(publickey)". I tried to ssh on system by password, and check the files in /etc/dropbear that are not be modified.

I tried to clear the file "/etc/dropbear/dropbear_rsa_host_key" and restart the dropbear service, which can make ssh successfully again.

I know /lib/upgrade/keep.d/ will keep the files in /etc/dropbear/, but I don't understand why ssh failed after sysupgrading, the files in /etc/dropbear/ are not changed.

Is there anyone know about this? Thanks!

Perhaps you forgot to specify the login name for root.
SSH uses your active user name by default, which apparently doesn't exist or isn't configured for key-based authentication on the destination host.

1 Like

You configured the key in the wrong place. It should be in authorized_keys not dropbear_rsa_host_key.

2 Likes

But still wrong.

1 Like

Sorry, it's typo in the post.
I put right file on the system, it is authorized_keys that's why I can ssh by private key at first.

I mean after sysupgrading, /etc/dropbear are kept, but ssh by private key is failed.
But once I clear the file /etc/dropbear/dropbear_rsa_host_key and restart dropbear (which will generate a new dropbear_rsa_host_key), I can ssh by private key again.

I wonder why the files kept but ssh fails, am I missing something I don't know.

1 Like

Possibly your old host key was generated by an algorithm that has already been deprecated and is not supported with the current dropbear or your SSH client. Something like that (as regenerating the host key fixes things).

2 Likes

Thanks for the reply.
I guess you are right. I have a workaround solution that delete the "/etc/dropbear/" entry in '/lib/upgrade/keep.d", which will delete the old rsa_host_key file and make dropbear generate new dropbear_rsa_host_key after sysupgrading.

But I still wonder why and what makes the old host key be deprecated after sysupgrading. If I keep the authorized_key and dropbear_rsa_host_key during sysupgrading, I guess it is like a normal reboot for dropbear, its configuration files are not changed and application(dropbear) is still not be changed.

From which to which OpenWrt release have you sysupgraded?

1 Like

from 19.07.2 to 19.07.2

The same image

Check ifupgrade changes access permissions of files in /etc/dropbear

1 Like

Awesome! You're right!

I use image-builder to generate image, and apply my custom files, I put the authorized_keys file to /etc/dropbear, and forget to adjust the permission of the directory which should be 0700.

I solved it yesterday, haven't posted here in time.

Thank you all again.

The etc/dropbear dir can be 755, the authorized_keys file can be 644 and it will still work. It also depends if users other than root are loging in.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.