Community discussions

MikroTik App
 
voip
just joined
Topic Author
Posts: 8
Joined: Tue Jan 09, 2024 12:17 pm

SSH Log-in using ED25519 public/private key not working from bash

Tue Oct 01, 2024 3:34 pm

When SSH connecting from my PC using ED25519 public/private key
to a mt.lv1 device (that has had the public/private
created and public key uploaded/imported on mt.lv2 device) and trying
to SSH from mt.lv1 to mt.lv2 or another SSH server, I still get asked for "password",
but when I open up WinBox/Terminal on mt.lv1 and SSH
into mt.lv2 device or another SSH server, all works as it should,
where did I make a mistake?

Is it a bug or simply a fault setting it up?


All mt.lv devices are running latest ROS 7.16 and PC has WinBox 3.41
(I know the new native Linux version 4 is out,
but I prefer the OLD WinBox that I know my way around).

My SSH settings on the router are sort of defaults:
/ip ss pr
           forwarding-enabled: no
  always-allow-password-login: no
                strong-crypto: yes
            allow-none-crypto: no
                host-key-size: 8192
                host-key-type: ed25519



Here is what I did.

On my PC, I created a set of ED25519 public/private keys:
ssh-keygen -t ed25519 -C "ed25519.256@$HOSTNAME" -o -a 10000

Then imported to the "public key" to mt.lv1 and mt.lv2 devices using SCP:
scp -P 65422 ~/.ssh/id_ed25519.pub admin@192.168.88.1:ed25519.256@$HOSTNAME.pub
scp -P 65422 ~/.ssh/id_ed25519.pub admin@192.168.88.2:ed25519.256@$HOSTNAME.pub

On both the "mt.lv1" and "mt.lv2" I imported the *.pub keys for user "admin":
ssh -p 65422 admin@192.168.88.1
/user ssh-keys import public-key-file=ed25519.256@$HOSTNAME.pub user=admin
ssh -p 65422 admin@192.168.88.2
/user ssh-keys import public-key-file=ed25519.256@$HOSTNAME.pub user=admin

Then on both of the mt.lv devices I set the host-key-type to "ED25519":
/ip ssh set strong-crypto=yes host-key-size=8192 host-key-type=ed25519

and create ED25519 public/private:
/ip ssh export-host-key key-file-prefix=admin

To create a "OpenSSH formats" of the *pub.pem files I downloaded PRIVATE Key (before importing in in to MT.LV device) to my PC:
cd ~/Documents/mt.lv
scp -P 65422 admin@192.168.88.1:/admin_ed25519.pem .

(To convert PEM (PKCS#8) to OpenSSH format an "sshpk-conv" is needed)
https://www.npmjs.com/package/sshpk
sshpk-conv --informat=pkcs8 --file=admin_ed25519.pem --outformat=ssh --out=admin_ed25519.pub --comment "admin@192.168.88.1"
sshpk-conv --informat=pkcs8 --file=admin_ed25519.pem --outformat=ssh --out=admin_ed25519.pub --comment "admin@192.168.88.2"

Delete the mt.lv 1 and 2 devices "PRIVATE KEYS" = "admin_ed25519.pem" from PC:
rm admin_ed25519.pem

On both mt.lv1 and 2 I imported the "private" keys:
/user ssh-keys private import user=admin private-key-file=admin_ed25519.pem

And copied "public" keys "admin_ed25519.pub" to other devices that I want to be able to SSH to from mt.lv devices:

- other mt.lv:
scp -P 65422 admin_ed25519.pub admin@192.168.88.2:ed25519.256@192.168.1.1.pub
/user ssh-keys import public-key-file=ed25519.256@192.168.1.1.pub user=admin
scp -P 65422 admin_ed25519.pub admin@192.168.88.1:ed25519.256@192.168.1.2.pub
/user ssh-keys import public-key-file=ed25519.256@192.168.1.2.pub user=admin

- devices running OpenSSH Server:
On PC:
cat admin_ed25519.pub
On SERVER:
nano ~/.ssh/authorized_keys


When I SSH log in from my PC to mt.lv1 or 2,
password is not required and instead use the ED25519 public/private key and it works.

(PC->mt.lv1 or 2)
If I to then further to SSH log in to another device
(PC->mt.lv1 -> mt.lv2 OR another OpenSSH Server)
that has the mt.lv1 or 2 devices public keys imported in
"~/.ssh/authorized_keys" I would get always asked for password
and the ED25519 public/private just does not work.

But if I to open up Winbox/Terminal and conect to either mt.lv1 or mt.lv2 device
and try to log in from the winbox terminal to other devices
that have the public keys imported, log-in without an password using the ED25519 public/private works ....



Here is a quote from "man ssh-keygen":

FILES
     ~/.ssh/id_dsa
     ~/.ssh/id_ecdsa
     ~/.ssh/id_ecdsa_sk
     ~/.ssh/id_ed25519
     ~/.ssh/id_ed25519_sk
     ~/.ssh/id_rsa
             Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA authentication identity of the user.  This file should not be readable by anyone but the user.  It is possible to specify a passphrase when generating the key; that
             passphrase will be used to encrypt the private part of this file using 128-bit AES.  This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private key.  ssh(1) will read this file when a login attempt is made.

FILES
     ~/.ssh/id_dsa.pub
     ~/.ssh/id_ecdsa.pub
     ~/.ssh/id_ecdsa_sk.pub
     ~/.ssh/id_ed25519.pub
     ~/.ssh/id_ed25519_sk.pub
     ~/.ssh/id_rsa.pub
             Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA public key for authentication.  The contents of this file should be added to ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key
             authentication.  [b]There is no need to keep the contents of this file secret.[/b]
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12419
Joined: Thu Mar 03, 2016 10:23 pm

Re: SSH Log-in using ED25519 public/private key not working from bash

Tue Oct 01, 2024 7:56 pm

It works for me. Although I did not use "-a" command line parameter of ssh-keygen. It could be that ROS implementation doesn't support that high value (ssh-keygen manual says the default is 16).
 
voip
just joined
Topic Author
Posts: 8
Joined: Tue Jan 09, 2024 12:17 pm

Re: SSH Log-in using ED25519 public/private key not working from bash

Tue Oct 01, 2024 10:38 pm

I do not think the problem is in the key and the way ED25519 public/private key on the PC was generated,
as "password less" log-in works between the PC -> mt.lv1 / 2 / 3 / 4 devices ....

For some strange reason the "password less" login does not work on 2nd SSH hop .....

PC -> mt.lv1 = works,

but when trying to connect
PC -> mt.lv1 -> mt.lv2 / 3 / 4 or any other OpenSSH server
the "password less" log-in does not work and since I have set
"always-allow-password-login (no)" then even password
log-in does not work when trying to log in to other mt.lv device .......
 
wfburton
Frequent Visitor
Frequent Visitor
Posts: 95
Joined: Mon Apr 10, 2023 1:09 am

Re: SSH Log-in using ED25519 public/private key not working from bash

Tue Oct 01, 2024 11:08 pm

This might be a shot in the dark but have you tried changing

forwarding-enabled: no

to

forwarding-enabled: both
 
voip
just joined
Topic Author
Posts: 8
Joined: Tue Jan 09, 2024 12:17 pm

Re: SSH Log-in using ED25519 public/private key not working from bash

Tue Oct 01, 2024 11:50 pm

Yes I did try:
/ip ssh set forwarding-enabled=both
log-out and log-in back and 2nd SSH hop and "password" prompt comes up.

Maybe it's a "security" feature :)

Who is online

Users browsing this forum: bdllaguna, geelenio, Google [Bot], LogitComputer and 45 guests