When SSH connecting from my PC using ED25519 public/private key
to a mt.lv1 device (that has had the public/private
created and public key uploaded/imported on mt.lv2 device) and trying
to SSH from mt.lv1 to mt.lv2 or another SSH server, I still get asked for “password”,
but when I open up WinBox/Terminal on mt.lv1 and SSH
into mt.lv2 device or another SSH server, all works as it should,
where did I make a mistake?
Is it a bug or simply a fault setting it up?
All mt.lv devices are running latest ROS 7.16 and PC has WinBox 3.41
(I know the new native Linux version 4 is out,
but I prefer the OLD WinBox that I know my way around).
My SSH settings on the router are sort of defaults:
/ip ss pr
forwarding-enabled: no
always-allow-password-login: no
strong-crypto: yes
allow-none-crypto: no
host-key-size: 8192
host-key-type: ed25519
Here is what I did.
On my PC, I created a set of ED25519 public/private keys:
ssh-keygen -t ed25519 -C "ed25519.256@$HOSTNAME" -o -a 10000
Then imported to the “public key” to mt.lv1 and mt.lv2 devices using SCP:
scp -P 65422 ~/.ssh/id_ed25519.pub admin@192.168.88.1:ed25519.256@HOSTNAME.pub
scp -P 65422 ~/.ssh/id_ed25519.pub admin@192.168.88.2:ed25519.256@HOSTNAME.pub
On both the “mt.lv1” and “mt.lv2” I imported the *.pub keys for user “admin”:
ssh -p 65422 admin@192.168.88.1
/user ssh-keys import public-key-file=ed25519.256@HOSTNAME.pub user=admin
ssh -p 65422 admin@192.168.88.2
/user ssh-keys import public-key-file=ed25519.256@HOSTNAME.pub user=admin
Then on both of the mt.lv devices I set the host-key-type to “ED25519”:
/ip ssh set strong-crypto=yes host-key-size=8192 host-key-type=ed25519
and create ED25519 public/private:
/ip ssh export-host-key key-file-prefix=admin
To create a “OpenSSH formats” of the *pub.pem files I downloaded PRIVATE Key (before importing in in to MT.LV device) to my PC:
cd ~/Documents/mt.lv
scp -P 65422 admin@192.168.88.1:/admin_ed25519.pem .
(To convert PEM (PKCS#8) to OpenSSH format an “sshpk-conv” is needed)
https://www.npmjs.com/package/sshpk
https://packages.debian.org/bookworm/node-sshpk
sshpk-conv --informat=pkcs8 --file=admin_ed25519.pem --outformat=ssh --out=admin_ed25519.pub --comment "admin@192.168.88.1"
sshpk-conv --informat=pkcs8 --file=admin_ed25519.pem --outformat=ssh --out=admin_ed25519.pub --comment "admin@192.168.88.2"
Delete the mt.lv 1 and 2 devices “PRIVATE KEYS” = “admin_ed25519.pem” from PC:
rm admin_ed25519.pem
On both mt.lv1 and 2 I imported the “private” keys:
/user ssh-keys private import user=admin private-key-file=admin_ed25519.pem
And copied “public” keys “admin_ed25519.pub” to other devices that I want to be able to SSH to from mt.lv devices:
- other mt.lv (mt.lv1 pub key to mt.lv2):
scp -P 65422 admin_ed25519.pub admin@192.168.88.2:ed25519.256@192.168.88.1.pub
/user ssh-keys import public-key-file=ed25519.256@192.168.88.1.pub user=admin
- other mt.lv (mt.lv2 ed25519.pub key to mt.lv1)
scp -P 65422 admin_ed25519.pub admin@192.168.88.1:ed25519.256@192.168.88.2.pub
/user ssh-keys import public-key-file=ed25519.256@192.168.88.2.pub user=admin
- devices running OpenSSH Server:
On PC:
cat admin_ed25519.pub
On SERVER:
nano ~/.ssh/authorized_keys
When I SSH log in from my PC to mt.lv1 or 2,
password is not required and instead use the ED25519 public/private key and it works.
(PC->mt.lv1 or 2)
If I to then further to SSH log in to another device
(PC->mt.lv1 → mt.lv2 OR another OpenSSH Server)
that has the mt.lv1 or 2 devices public keys imported in
“~/.ssh/authorized_keys” I would get always asked for password
and the ED25519 public/private just does not work.
But if I to open up Winbox/Terminal and connect to either mt.lv1 or mt.lv2 device
and try to log in from the winbox terminal to other devices
that have the public keys imported, log-in without an password using the ED25519 public/private works …
Here is a quote from “man ssh-keygen”:
FILES Private
~/.ssh/id_dsa
~/.ssh/id_ecdsa
~/.ssh/id_ecdsa_sk
~/.ssh/id_ed25519
~/.ssh/id_ed25519_sk
~/.ssh/id_rsa
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that
passphrase will be used to encrypt the private part of this file using 128-bit AES. This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made.
FILES Public
~/.ssh/id_dsa.pub
~/.ssh/id_ecdsa.pub
~/.ssh/id_ecdsa_sk.pub
~/.ssh/id_ed25519.pub
~/.ssh/id_ed25519_sk.pub
~/.ssh/id_rsa.pub
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA public key for authentication. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key
authentication. [b]There is no need to keep the contents of this file secret.[/b]
EDIT:
I have amended the title,to reflect what exactly is the problem.
