Ssh rsa key refused

What can be the cause that refuses me the key ssh rsa?

ssh-rsa AAAAB3Nz................F3KycJRroXvAFa/mpN56JxSx gevagiorgio@PC-Ufficio

rsa is right kind ?
Need some module ?
I copied it from the HTML page of an old OpenWrt, where the key work to html page of the new OpenWrt where it does not work.

Possibly too short (less than 2048 bits?), so that it gets rejected as insecure? Or the algortihm used is disabled as insecure. Or something like that.

There have been that kind of gradual changes during the years, so if you copy something from an ancient 15.05 or earlier, it is quite possible that something has changed.

Alternatively: a copy-paste error in the new javascript based functionality. Test with editing the key files via normal SSH console or copying with scp.

1 Like

... are caracter. Body of key is 372 Caracters.

Working old version.
cat openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='SNAPSHOT'
DISTRIB_REVISION='r6910-afbb3d2'
DISTRIB_TARGET='ramips/rt305x'
DISTRIB_ARCH='mipsel_24kc'
DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r6910-afbb3d2'
DISTRIB_TAINTS='no-all'

Copied, using SCP.
authorized_keys
dropbear_rsa_host_key

Same refuse

You don't need to copy the rsa_host_key.
Make sure the rsa key is all in one line!

Key is a sigle line and leght is 2048 bit

openssl rsa -text -noout -in id_rsa
Private-Key: (2048 bit)

Can you create a new key and try with ssh-copy-id ?
Also what are the permissions?
ls -la /etc/dropbear/

Have no line breaks in the key. Needs to be all on one line.

When you say it is "rejected", how so? What do you see as error messages or log files?

1 Like

It's all in one line, it doesn't have breaks.
The client says key refused.
How can I enable seeing a log?

logread would be a good start.
Did you try what I mentioned above?

root@BatteryPoE:/# ls -la /etc/dropbear/
drwx------    1 root     root             0 Sep 26 14:46 .
drwxrwxrwx    1 root     root             0 Sep 26 14:45 ..
-rw-rw-rw-    1 root     root           402 Sep 26 14:46 authorized_keys
-rw-------    1 root     root           805 Sep 22 17:00 dropbear_rsa_host_key

From UBUNTU to Old (Working) and New (Not Working)

gevagiorgio@PC-Ufficio:~/openwrt$ ssh root@192.168.1.69
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:cQ/GfsKpGLmfKovrsMpea8m/pagC/SWAkLGlx00IcQU.
Please contact your system administrator.
Add correct host key in /home/gevagiorgio/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/gevagiorgio/.ssh/known_hosts:4
  remove with:
  ssh-keygen -f "/home/gevagiorgio/.ssh/known_hosts" -R 192.168.1.69
RSA host key for 192.168.1.69 has changed and you have requested strict checking.
Host key verification failed.
gevagiorgio@PC-Ufficio:~/openwrt$ ssh root@192.168.1.69


BusyBox v1.28.3 () built-in shell (ash)

  ___                     ___        _
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |__||   _|__||||__|||  |_|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r6910-afbb3d2
 -----------------------------------------------------
 -----------------------------------------------------
 shop.gevaelettronica.it    Battery PoE   Fw 3.0

 On html page, system / Local Startup, enable this files.

 /root/Leds.sh          Leds daemon and message on at TFT
 /root/CpConf.sh        Daemon for CPE config
 /root/OnCpScript.sh    File lauched on the CPE
 /root/system.cfg       CPE configuration, to load

 -----------------------------------------------------
root@BatteryPoE:~#

logread

Fri Sep 27 10:21:57 2019 authpriv.info dropbear[1801]: Child connection from 192.168.1.30:60825
Fri Sep 27 10:21:58 2019 authpriv.info dropbear[1801]: Exit before auth: Exited normally

I think it's a BUG last Relise of OpenWrt

root@BatteryPoE:/etc/dropbear# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDatzK/EB2aUXazvtPFZxUOPZHYjvpzFkPuyQ9e1tkvJ5a+tVowQL9xUb1hb009MTXHGZzOpIFoNJWT8Zxq7QQ3KOO5WN6PCf57SW5rEXVhhlvq7qqUlV7n4VRiqpO4sfs1cSia+2WYBPEAAHzpeE4GolGcoFHEYfWvbgIXITimjakUU9riDbRYJL7bjdkmg4M3I74L14XpLTLS4+cwD6YRa9mD0TRy1GXfPSdn6Ot3AawSprpnXaV5yrrUOw5154kQQdrrfPNzDB5i9JA+rpLTJte+wYLbuYQA4zmb3bBxrQxtYHhPiVRQzhQlLnA7F3KycJRroXvAFa/mpN56JxSx geva-giorgio@Ufficio
root@BatteryPoE:/etc/dropbear#
root@BatteryPoE:/etc/dropbear# ls -la
drwx------ 1 root root 0 Sep 27 10:37 .
drwxrwxrwx 1 root root 0 Sep 22 17:05 ..
-rw-rw-rw- 1 root root 402 Sep 27 10:37 authorized_keys
-rw------- 1 root root 805 Sep 22 16:59 dropbear_rsa_host_key
root@BatteryPoE:/etc/dropbear#
root@BatteryPoE:/etc/dropbear# ^C

Try this:
chmod 644 /etc/dropbear/authorized_keys

gevagiorgio@PC-Ufficio:~$ ssh root@192.168.1.69
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:affD2OE4wVW4CYL5Se3XtYTdz9DlBkLKbQuzU2nwdbc.
Please contact your system administrator.
Add correct host key in /home/gevagiorgio/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/gevagiorgio/.ssh/known_hosts:4
remove with:
ssh-keygen -f "/home/gevagiorgio/.ssh/known_hosts" -R 192.168.1.69
RSA host key for 192.168.1.69 has changed and you have requested strict checking.
Host key verification failed.

root@BatteryPoE:/sys/devices/platform/leds/leds# ls -la /etc/dropbear/authorized
_keys
-rw-r--r-- 1 root root 402 Sep 27 10:37 /etc/dropbear/authorized_keys

On the new one:

cat /etc/openwrt_version 
dropbear -V
dropbear -F -E -p 2222

Then try to login on port 2222 and post output from OpenWrt.

something has changed?

That means the host key doesn't match the client's "known host" record for a previous connection to this IP or hostname.

It has nothing to do with authorized_keys. This is used later for the host to authenticate the client, after the client is satisfied that the host is authentic by checking the host key.

The host key is randomly generated the first time dropbear starts on a new OpenWrt install. I've never tried to import or preserve a host key.

Unless you have a reason to make it more complicated than it is, and you are sure there is no man in the middle, you should simply run the suggested ssh-keygen -R command on the client. That will make it forget the old key and not throw that message.

4 Likes

Either it can be too short and got rejected or algorithm used is diabled as insecure.

Like mk24 says, that is a normal "host key changed" error on the PC that you are making the ssh connection from. The ssh client stores fingerprints of the servers that you connect to, and if the fingerprint is different in a new connection, you get this error.

As the host key is automatically generated, you will get this error after you reflash the router (the ssh server) without keeping settings. Or if a new router gets an IP address that belonged earlier to another device, so that the ssh client sees a new host key that differentiates from the one in its database.

The easy fix is to run this command in the PC that you are making connections from:

Too bad that you did not show the actual error message initially...

1 Like

The last line of the message says:
"Host key verification failed."

If you want to know more you have to tell me how to retrieve information.

What is the name of the modules that decree this type of key?
Where do I find the options?

This is my custom build.

Really? :roll_eyes:

Please, restore the /, /etc and /etc/dropbear permissions to factory defaults and read the documentation:
https://openwrt.org/docs/guide-user/security/dropbear.public-key.auth#troubleshooting

1 Like