Entering data for "SSH Authentication key" kills router..

[SnakeByte]

I've got two routers, an RT-N66U and an RT-AC68U. Both are running 3.0.0.4.374.38_1 (N66U using the em1 version).

The moment I copy and paste my authorized_keys file from one of my linux systems into the webgui Administration -> System -> "SSH Authentication key" edit box and click apply, I loose the ability to communicate with the router. This happened on both routers. The only way to recover was to clear the NVRAM via the Power + WPS hardware reset trick.

Is there a character limitation that I am exceeding with my text dump from my existing authorized_keys file? I didn't have this trouble with dd-wrt, so maybe this is not a character limit issue? The linux 'wc' command reports the character count at 5426 (8 keys). Maybe the gui is writing to the wrong place?

Thanks.

 

[RMerlin]

I've got two routers, an RT-N66U and an RT-AC68U. Both are running 3.0.0.4.374.38_1 (N66U using the em1 version).

The moment I copy and paste my authorized_keys file from one of my linux systems into the webgui Administration -> System -> "SSH Authentication key" edit box and click apply, I loose the ability to communicate with the router. This happened on both routers. The only way to recover was to clear the NVRAM via the Power + WPS hardware reset trick.

Is there a character limitation that I am exceeding with my text dump from my existing authorized_keys file? I didn't have this trouble with dd-wrt, so maybe this is not a character limit issue? The linux 'wc' command reports the character count at 5426 (8 keys). Maybe the gui is writing to the wrong place?

Thanks.

This is indeed too big, the limit should be around 3499 or 3999 (I'm not at home to check at this moment).

However the webui should have prevented you from entering too many characters, I will have to check that page.

 

[SnakeByte]

This is indeed too big, the limit should be around 3499 or 3999 (I'm not at home to check at this moment).

I tried again with a smaller amount of 2144 characters (4 keys), and it still borked the router.

I also tried setting the nvram sshd_authkey variable with that original 5426 char file and after a commit and reboot, the router became unresponsive again, so it looks like it is a character limitation issue. I'll need to figure out a different way to securely copy over that authorized_keys file.

Is there a fixed max size for nvram variables? Why doesn't the nvram utility cap or warn when this threshold has been passed?

Thanks for looking into this.

 

[Planes]

I tried again with a smaller amount of 2144 characters (4 keys), and it still borked the router.

This may be a stretch, but it may solve your problem. It might be that the browser that you are using for your cut and paste is the cause of the router having difficulty in processing the information. I know that some browsers use the windows style control character for line feed/carrage return while other browsers use the unix style character for the linefeeds. I won't swear to this but I want to think that firefox uses the unix style of line feeds even on a windows based OS. It could be that the BOX or ^M that you sometimes see when importing documents from one os to the other is a contributing factor in the router having an issue with your cut and paste. I have noticed different line feeds being used when copy/paste from different browsers into NOTEPAD on windows XP. The line feed character is generally something that you can not see, so that could make it difficult to track down. I hope that this is helpful.

 

[SnakeByte]

I know that some browsers use the windows style control character for line feed/carrage return while other browsers use the unix style character for the linefeeds.

Thanks Planes. I ruled out the browser by writing directly to the nvram variable as mentioned in my last response (I.E. I bypassed the web gui completely). It caused the same issue. While this shows that the problem is outside of Merlin's domain (He didn't write the base Asuswrt afterall), it's likely Merlin will at least adjust the character cap the webgui uses (once he figured out what that cap actually is!) to stop others from running into this trouble.

To solve my problem of continuing to need to use that large authorized_keys file, I'll have to resort to some type of scp copy command in an init script somewhere. I assume one exists in this flavor of the firmware!

 

[RMerlin]

I tried again with a smaller amount of 2144 characters (4 keys), and it still borked the router.

If your keys also contain names that describes them, make sure they don't contain any non-alphanumerical characters, such as quotes. Those tend to mess up the webui.

The limit is 2999 characters, and it's actually enforced at the HTML level. I will bump it to 3499 characters to match OpenVPN certs as this is the safe limit currently allowed at the httpd level.

Can you also check in System Log if anything unusual might get logged by Dropbear as it tries to start?

 

[SnakeByte]

Can you also check in System Log if anything unusual might get logged by Dropbear as it tries to start?

Merlin,

Dropbear doesn't seem to mind my authorized_keys file when I copy it over via SCP to the /tmp/home/root/.ssh directory.

Otherwise, I'm not certain I know how to check the system log. I can write to the nvram variable and commit and the system continues to function normally. It's only after the subsequent reboot that things fall apart. At that point, I cannot even ping the router, let along check a log. Is there another method that will allow this? Is there a hidden serial interface somewhere? I don't mind taking the unit apart and soldering.. JTAG?

 

[RMerlin]

Merlin,

Dropbear doesn't seem to mind my authorized_keys file when I copy it over via SCP to the /tmp/home/root/.ssh directory.

Otherwise, I'm not certain I know how to check the system log. I can write to the nvram variable and commit and the system continues to function normally. It's only after the subsequent reboot that things fall apart. At that point, I cannot even ping the router, let along check a log. Is there another method that will allow this? Is there a hidden serial interface somewhere? I don't mind taking the unit apart and soldering.. JTAG?

There's a serial port on the board, with all the appropriate pins. That would let you see at which stage of the boot process it got stuck.

 

[SnakeByte]

There's a serial port on the board, with all the appropriate pins. That would let you see at which stage of the boot process it got stuck.

RMerlin,

I've done some more sleuthing. I've also hooked up the serial port (What is the popular GUI terminal emulator of choice these days?) also, is this serial read-only? I.E. just a log dump, and not terminal access?

I've stripped out all comments from the keys.
I've narrowed my number of keys to three.

the character count is 2066.

What happens now is that after I click "apply", I can see from the serial interface that the nvram variables get set, and that it issues some type of soft-reboot. What ends up happening however is that nothing after dropbear starts. I am able to ssh into the router at least, and the resulting authorized_keys file is working since I can ssh in without having to use a password. (Further checking shows that nothing was truncated, the authorized_key file is identical to the one I have locally)

I tried running httpd manually (without any command line parameters) and it starts (but I just get 404 errors), so I'd like to manually continue the service startup process to see what is breaking and why. It's almost like dropbear isn't releasing control back to the router so that it can finish loading the services.

 

[RMerlin]

RMerlin,

I've done some more sleuthing. I've also hooked up the serial port (What is the popular GUI terminal emulator of choice these days?) also, is this serial read-only? I.E. just a log dump, and not terminal access?

Personally I use Xshell4, which is free for personal use, due to its excellent UI (a tabbed interface is a must for me since I regularly work with 4-6 simultaneous sessions), but a lot of people still like Putty.

The serial port is bidirectional, so you can actually run commands over the serial console (handy if the network fails to come up of the router gets stuck at init time).

I've stripped out all comments from the keys.
I've narrowed my number of keys to three.

the character count is 2066.

What happens now is that after I click "apply", I can see from the serial interface that the nvram variables get set, and that it issues some type of soft-reboot. What ends up happening however is that nothing after dropbear starts. I am able to ssh into the router at least, and the resulting authorized_keys file is working since I can ssh in without having to use a password. (Further checking shows that nothing was truncated, the authorized_key file is identical to the one I have locally)

Odd. Anything particular about those keys? Are they RSA/DSA or ECDSA?

Try running strace on dropbear to see if it's doing anything.

I tried running httpd manually (without any command line parameters) and it starts (but I just get 404 errors)

httpd will look for the webui into the current directory, so it must be be run from within /www.

, so I'd like to manually continue the service startup process to see what is breaking and why. It's almost like dropbear isn't releasing control back to the router so that it can finish loading the services.

Use the serial console to check the content of /tmp/syslog.log, it might contain additional clues.

 

[sinshiva]

hey, out of curiousity, are you using like a usb > serial adapter for this? or is this something under the hood?

only asking because i have a usb to serial adapter that doesn't get much use these days

 

[RMerlin]

hey, out of curiousity, are you using like a usb > serial adapter for this? or is this something under the hood?

only asking because i have a usb to serial adapter that doesn't get much use these days

You need a TTL adapter, otherwise you will get garbage, and possibly fry either the router's serial port or your own serial port. A standard serial operates using -12V/+12V (or -5V/+5V). A TTL serial port like in those embedded devices uses either 0/+5V, or 0/+3.3V. This is called TTL signalling.

Here's a few pictures I posted last year of the adapter that I use, and my test setup (at the time):

http://forums.smallnetbuilder.com/showthread.php?t=10664

 

[hutchinsfairy]

Sorry to necro an old thread but I am having this exact issue and would love to know if you ever found a solution. I want to include 5-10 RSA public keys (4096 bits) and this seems to break the router.

 

[RMerlin]

Sorry to necro an old thread but I am having this exact issue and would love to know if you ever found a solution. I want to include 5-10 RSA public keys (4096 bits) and this seems to break the router.

Entering so many, long entries is not supported. The httpd's internal buffers aren't large enough.

 

[hutchinsfairy]

Entering so many, long entries is not supported. The httpd's internal buffers aren't large enough.

Thank you for responding! I don't fully understand where this buffer limitation would come into affect. Should it work for example to add an /jffs/scripts/services-start script to update the authorized_keys file each boot or would that break things when I tried to load the GUI?

Also, could I make a feature request that the admin pages prevent the user from entering too many characters? As per the OP I had to wipe the NVRAM each time I tried to enter too many.

 

[RMerlin]

Thank you for responding! I don't fully understand where this buffer limitation would come into affect. Should it work for example to add an /jffs/scripts/services-start script to update the authorized_keys file each boot or would that break things when I tried to load the GUI?

You'd have to disable SSH on the webui to ensure the router does not overwrite your configs, and handle starting it yourself.

Also, could I make a feature request that the admin pages prevent the user from entering too many characters? As per the OP I had to wipe the NVRAM each time I tried to enter too many.

It already does. Chances are, you end up with truncated keys, which causes dropbear to crash.

 

[hutchinsfairy]

Thanks for your help so far. I have now managed to resolve this to my satisfaction:

1. Via the web GUI I enter a single key and click "Apply"
2. SSH onto the Asus router and create a new file "/jffs/scripts/authorized_keys" containing all the rest of my SSH keys
3. Create a second file "/jffs/scripts/services-start" as below and make executable
4. Restart

I still can't add additional keys via the web GUI and I haven't tried testing to see what happens if I click Apply again via the GUI (breaking the internet makes me unpopular at home). My guess is that it would overwrite "/home/root/.ssh/authorized_keys" but I do not know if "/jffs/scripts/services-start" would get re-run afterwards.

I was also looking for the sshd config file to try to make some further tweaks but couldn't find it! Any thoughts?

services-start script:

#!/bin/sh

cd /jffs/scripts/
cat authorized_keys >> /tmp/home/root/.ssh/authorized_keys

 

[RMerlin]

I was also looking for the sshd config file to try to make some further tweaks but couldn't find it! Any thoughts?

Dropbear does not use any configuration file.

 

[ngoonee]

Thanks for your help so far. I have now managed to resolve this to my satisfaction:

1. Via the web GUI I enter a single key and click "Apply"
2. SSH onto the Asus router and create a new file "/jffs/scripts/authorized_keys" containing all the rest of my SSH keys
3. Create a second file "/jffs/scripts/services-start" as below and make executable
4. Restart

I still can't add additional keys via the web GUI and I haven't tried testing to see what happens if I click Apply again via the GUI (breaking the internet makes me unpopular at home). My guess is that it would overwrite "/home/root/.ssh/authorized_keys" but I do not know if "/jffs/scripts/services-start" would get re-run afterwards.

I was also looking for the sshd config file to try to make some further tweaks but couldn't find it! Any thoughts?

services-start script:

#!/bin/sh

cd /jffs/scripts/
cat authorized_keys >> /tmp/home/root/.ssh/authorized_keys

Thanks, I was looking for something like this, since I got odd behaviour from copy-pasting my desired authorized_keys into the web interface.

To answer your question on services-start, https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts indicates its only run on boot/reboot.

 

[Pila]

Found this thread while activating ssh on my router. Avoiding GUI, I have no problem with SSH and number of keys. Works perfectly for both in and out.

I explained every step and my reasons for doing it that way:

http://www.snbforums.com/threads/dropbear-ssh-without-remote-password.21070/