Ssh rsa key refused

Not sure if I am falling to answering trolling, but still...

Sounds like you still haven't understood what happens here.

The error/complaint comes from your PC, not router. SSH server automatically generates an RSA key & fingerprint, which others (clients) can use to identify the server. RSA is supported by all clients, so it is the default.

Likely something like this has happened.

• you copied the key files from your own router
• you flashed a new router
• you use ssh or scp to access the router and to copy the old keys to the router (overwriting the automatically generated key)
• at the next ssh login you suddenly get the error.

Note that at the step where you copy the old keys to the router, you have likely contacted the router with ssh/scp. Thus your PC already received the automatically generated fingerprint and stored it in its local database. After you replaced the key at the server, the client then notices that somebody has changed the host key for the server. (that somebody was you...) and warns you. Just use the ssh-keygen command on the client to remove the old key from the local database.

By looking at the source code.

In OpenWrt master, the ssh server (dropbear) automatically creates both RSA and ECSDA host keys.
https://github.com/openwrt/openwrt/blob/master/package/network/services/dropbear/files/dropbear.init#L63

Like this:

 OpenWrt SNAPSHOT, r11120-c8933ce533
 -----------------------------------------------------
root@router1:~# ls -l /etc/dropbear/
-rwxr--r--    1 root     root           959 Nov 10  2016 authorized_keys
-rw-------    1 root     root           141 Sep  7 17:02 dropbear_ecdsa_host_key
-rw-------    1 root     root           805 Sep  7 17:02 dropbear_rsa_host_key

And "dropbearkey" is command that you can use to generate new keys:

root@router1:~# dropbearkey
Must specify a key filename
Usage: dropbearkey -t <type> -f <filename> [-s bits]
-t type Type of key to generate. One of:
                rsa
                ecdsa
-f filename    Use filename for the secret key.
               ~/.ssh/id_dropbear is recommended for client keys.
-s bits Key size in bits, should be a multiple of 8 (optional)
           ECDSA has sizes 256
-y              Just print the publickey and fingerprint for the
                private key in <filename>.

I know that when the hardware changes, with the same IP, client will alert me.
I have my public key on all my machines, I have problem creating a new key.

If I add the key, by luci, or adding on the files, or copying file from a working machine, it does not work, ubuntu "ssh client says, "Host key verification failed", Windows Putty says "key refused

I do right, the error can only be, or how I compile OpenWRT or a bug.

Does the problem persist if you execute this command?

ssh-keygen -f "/home/gevagiorgio/.ssh/known_hosts" -R 192.168.1.69

First attempt worked, ubuntu and putty has accepted key.

gevagiorgio@PC-Ufficio:~$ ssh-keygen -f "/home/gevagiorgio/.ssh/known_hosts" -R 192.168.1.69
# Host 192.168.1.69 found: line 4
/home/gevagiorgio/.ssh/known_hosts updated.
Original contents retained as /home/gevagiorgio/.ssh/known_hosts.old
gevagiorgio@PC-Ufficio:~$ ssh root@192.168.1.69
The authenticity of host '192.168.1.69 (192.168.1.69)' can't be established.
RSA key fingerprint is SHA256:affD2OE4wVW4CYL5Se3XtYTdz9DlBkLKbQuzU2nwdbc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.69' (RSA) to the list of known hosts.


BusyBox v1.31.0 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r11102-ced4c0e

After I did a hard reset, re put the key by luci
It does not work anymore.

gevagiorgio@PC-Ufficio:~/openwrt/files/etc$ ssh-keygen -f "/home/gevagiorgio/.ssh/known_hosts" -R 192.168.1.69
# Host 192.168.1.69 found: line 7
/home/gevagiorgio/.ssh/known_hosts updated.
Original contents retained as /home/gevagiorgio/.ssh/known_hosts.old
gevagiorgio@PC-Ufficio:~/openwrt/files/etc$ ssh root@192.168.1.69
The authenticity of host '192.168.1.69 (192.168.1.69)' can't be established.
RSA key fingerprint is SHA256:/+zw8g3wMjpK8f2kpSEf1RFHvnum3KXxgzOladT/3uE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.69' (RSA) to the list of known hosts.
root@192.168.1.69's password:

What you just showed is not a bug.

Any time you remove your approval/authentication of the key, the normal configuration of the ssh client is to warn you that the key can’t be authenticated and ask if you want to proceed.

(There are other key-authentication approaches, but they are typically not implemented by home users.)

# OpenWrt
ls -l -d / /etc /etc/dropbear /etc/dropbear/authorized_keys
sha256sum /etc/dropbear/authorized_keys

# PC
sha256sum ~/.ssh/id_rsa.pub

In reference to my previous test that seemed to work:
Work only when password are not set.

root@BatteryPoE:/# ls -l -d / /etc /etc/dropbear /etc/dropbear/authorized_keys
drwxr-xr-x    1 root     root             0 Jan  1  1970 /
drwxrwxrwx    1 root     root             0 Sep 29 08:26 /etc
drwx------    1 root     root             0 Sep 29 08:25 /etc/dropbear
-rw-rw-rw-    1 root     root           402 Sep 29 08:25 /etc/dropbear/authorized_keys

root@BatteryPoE:/# sha256sum /etc/dropbear/authorized_keys
a5b10fdaeeef3af341c6ab07216a540a9d34a52d47b7713cedf41faa7a77a91e  /etc/dropbear/authorized_keys


gevagiorgio@PC-Ufficio:~/openwrt/files/etc$ sha256sum ~/.ssh/id_rsa.pub
eb694e1fac384a73e9b7628a032ca7a7e494dcaee29cef6ec0f7f2511b63f9fc  /home/gevagiorgio/.ssh/id_rsa.pub

I remember you that the same key, in a version of a year ago OpenWrt works well.

Fix incorrect permissions:

chmod 755 /etc
chmod 600 /etc/dropbear/authorized_keys

Checksum doesn't match.
Perform byte by byte file comparison.

Thank you all, Solved

Only difference is the end
gevagiorgio@PC-Ufficio
geva-giorgio@Ufficio

The old version of OpenWrt accept the difference, the new version does not accept it.

Now the CRC is same.

Not Work

root@BatteryPoE:/# sha256sum /etc/dropbear/authorized_keys
eb694e1fac384a73e9b7628a032ca7a7e494dcaee29cef6ec0f7f2511b63f9fc  /etc/dropbear/authorized_keys

gevagiorgio@PC-Ufficio:~$ sha256sum ~/.ssh/id_rsa.pub
eb694e1fac384a73e9b7628a032ca7a7e494dcaee29cef6ec0f7f2511b63f9fc  /home/gevagiorgio/.ssh/id_rsa.pub

ls -l -d / /etc /etc/dropbear /etc/dropbear/authorized_keys

Putty says "Key refused"

gevagiorgio@PC-Ufficio:~$ ssh root@192.168.1.69 -v
OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.69 [192.168.1.69] port 22.
debug1: Connection established.
debug1: identity file /home/gevagiorgio/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: Remote protocol version 2.0, remote software version dropbear
debug1: no match: dropbear
debug1: Authenticating to 192.168.1.69:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:dmxR0fcr1SO1DZ/uYY/Kr8f1swbsYOahaZ5AZ8iZ4gI
debug1: Host '192.168.1.69' is known and matches the RSA host key.
debug1: Found key in /home/gevagiorgio/.ssh/known_hosts:7
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/gevagiorgio/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/gevagiorgio/.ssh/id_dsa
debug1: Trying private key: /home/gevagiorgio/.ssh/id_ecdsa
debug1: Trying private key: /home/gevagiorgio/.ssh/id_ed25519
debug1: Next authentication method: password
root@192.168.1.69's password:

This doesn't look right.

Generate another RSA key and test it.

New key, same problem:

root@BatteryPoE:/# sha256sum /etc/dropbear/authorized_keys
de3139dddfe2373212cb748f2ad6067c350915b2982ce65d3eb135f42bfd57f3  /etc/dropbear/authorized_keys

gevagiorgio@PC-Ufficio:~/.ssh$ sha256sum ~/.ssh/id_rsa.pub
de3139dddfe2373212cb748f2ad6067c350915b2982ce65d3eb135f42bfd57f3  /home/gevagiorgio/.ssh/id_rsa.pub

gevagiorgio@PC-Ufficio:~/.ssh$ ssh root@192.168.1.69 -v
OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.69 [192.168.1.69] port 22.
debug1: Connection established.
debug1: identity file /home/gevagiorgio/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/gevagiorgio/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
debug1: Remote protocol version 2.0, remote software version dropbear
debug1: no match: dropbear
debug1: Authenticating to 192.168.1.69:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:dmxR0fcr1SO1DZ/uYY/Kr8f1swbsYOahaZ5AZ8iZ4gI
debug1: Host '192.168.1.69' is known and matches the RSA host key.
debug1: Found key in /home/gevagiorgio/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/gevagiorgio/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/gevagiorgio/.ssh/id_dsa
debug1: Trying private key: /home/gevagiorgio/.ssh/id_ecdsa
debug1: Trying private key: /home/gevagiorgio/.ssh/id_ed25519
debug1: Next authentication method: password
root@192.168.1.69's password:

Check the permissions:

# OpenWrt
ls -l -d / /etc /etc/dropbear /etc/dropbear/authorized_keys

# PC
ls -l -d / /home /home/gevagiorgio /home/gevagiorgio/.ssh /home/gevagiorgio/.ssh/id_rsa

But also putty refuse key, and on my old device, all work well.

root@BatteryPoE:/# ls -l -d / /etc /etc/dropbear /etc/dropbear/authorized_keys
drwxr-xr-x    1 root     root             0 Jan  1  1970 /
drwxr-xr-x    1 root     root             0 Sep 22 16:58 /etc
drwxrwxrwx    1 root     root             0 Sep 22 16:58 /etc/dropbear
-rw-------    1 root     root           404 Sep 30 12:58 /etc/dropbear/authorized_keys

gevagiorgio@PC-Ufficio:~/.ssh$ ls -l -d / /home /home/gevagiorgio /home/gevagiorgio/.ssh /home/gevagiorgio/.ssh/id_rsa
drwxr-xr-x 1 root        root         512 Sep 16  2018 /
drwxr-xr-x 1 root        root         512 Dec  1  2017 /home
drwxr-xr-x 1 gevagiorgio gevagiorgio  512 Sep 30 15:10 /home/gevagiorgio
drwx------ 1 gevagiorgio gevagiorgio  512 Sep 30 14:58 /home/gevagiorgio/.ssh
-rw------- 1 gevagiorgio gevagiorgio 1679 Sep 30 14:57 /home/gevagiorgio/.ssh/id_rsa

Fix incorrect permissions:

Now work, but way compiler fix wrong permission ?
How do I right compiling ?

If i fix permission on folder
files/etc/dropbear

permission are included on .bin files ?

Ok

Set right permission on the foder /file of the compiler then work.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.