Help with SSH Access

[8443]

Hi,

I'm having trouble configuring SSH access to my AC66U with Merlin 380.68 using keys.

I generated a key pair via terminal in macOS 10.12.6 using ssh-keygen, enabled password protection, and saved in the default location, users/username/.ssh

Settings in the router config are: SSH enabled on LAN only, SSH port forwarding disabled, port 22, password login disabled, brute force protection enabled, and my public key is pasted in the SSH authentication key box.

I'm receiving the error: "Permission denied (publickey)."

Let me know if there's any other information I can provide. Thanks!

 

[martinr]

It's a long time since I set up SSH so I'm rusty, but one question: you say you "enabled password protection" then you later say "password login disabled" in the router. Are the 2 compatible? So you don't get asked for a passphrase during login or do you not even get that far even if you were to be asked for a passphrase? And your private key gets stored in users/username/.ssh on your Mac, is that how it works? (I only ever set up SSH on a Windows or iPhone/iPad client.

 

[martinr]

And are you sure when you copied the public key across, nothing got missed? I have a vague, and possibly incorrect, memory of reading that a blank line had to be left after the final public key
(In the list) when pasted into the router. But it could well be an incorrect memory, or something peculiar to Windows, or even something that might have been true years ago but not now.

One thing you could try is to erase everything and try again. especially if you are new to this. Quite often the first time you do something like this you overlook something. The second time you do it you already have more confidence and understanding. Not exactly second nature, but on the road towards it.

 

[8443]

Thanks for your suggestions, martinr. I believe the SSH password when generating keys is for added protection of the private key, not related to an SSH connection itself (I think...).

Nevertheless, I deleted the old keys and hosts file, and generated a brand new key pair without utilizing the password option this time. Disabled SSH password login on the router config as well. Pasted new key. Unfortunately, I'm still receiving the same error.

 

[Starbloom]

After ssh key gen, go to .ssh folder. Grab your public key and paste in admin page ssh box. It should be one long line. Good luck.

 

[netmik3]

It must be in this format

ssh-rsa LONGLONGgaW5GGNtxUH7Qct5uAGklvnpBjr32xtew4BAgFZuoSIfBssq3WKnM3EkYM72Qe3JIDE0LONGLONGLONG rsa-key-20150922

 

[martinr]

It may well be going wrong somewhere in the cut and paste bit. "More than one of my simple cut-and-paste attempts have turned to tears..." from SSH Mastery by Michael W Lucas.

He goes on to say, " Remember, each key must be on one, and only one, line in authorised_keys", reinforcing Starbloom's post. And "If you last entry doesn't end on a new line, the next key you add to this file will be tacked onto the end of the previous key."

If yiu are still having problems, is it possible you could try again from a Windows machine, just in case there's something strange happening in the cut-and-paste on the Mac?

 

[Xentrk]

In the SSH client software (I use MobaXterm), did you check the box to enable private-key and specify the location of the key on your PC or laptop?

 

[Xentrk]

 

[martinr]

Thanks, Xentrk, you just reminded me I'd long forgotten to turn off "Allow SSH password login" after having allowed it for a LAN login some while back.

 

[Xentrk]

It was only recently where I got around to setting this up on all the routers I support. I don't think there are instructions on the wiki. I think I had to web search for the how to. Glad I finally got it done.

 

[8443]

Thanks for the help everyone, yes, I've tried copying from both the .pub file as well as the terminal itself. Xentrk - ssh-keygen creates a public/private key pair and uses a default location or user specified, in my case users/username/.ssh. - for me, this contains id_rsa, id_rsa.pub, and known_hosts. Here's a screenshot of my setup/copy-paste job:

I can re-try the process later on Windows or Linux, although I'd be surprised if that would fix anything. I could try with PuTTY on Windows.

I'm seeing some screenshots online of public keys with "==" at the end of the key, not sure if that could be it.

 

[martinr]

Here's what mine looks loke. I'm sure you'll manage it and the error will be a trivial one.

Does it help?

 

[martinr]

One thing: if you start editing such files (rather than cut and pasting), you have to ensure it's done in the Unix/Linux format. For example, if, in Windows, you use Notepad, it formats Windows style and a carriage teturn CR gets added to the end of each line (not visible in Notepad, but it's there). Linux can't accept the CR, so the file won't work. So in Windows you'd use something like Notepad++ and set the formatting to Unix; the file's then correctly formatted. (Notepad++ does show the CR at the end of each line, in Windows format, and you see it disappear when Unix format is selected. You then only have the correct LR at the end of each line.)

So make sure you don't compound any errors by incorrectly editing a public key file.

 

[Xentrk]

Thanks for the help everyone, yes, I've tried copying from both the .pub file as well as the terminal itself. Xentrk - ssh-keygen creates a public/private key pair and uses a default location or user specified, in my case users/username/.ssh. - for me, this contains id_rsa, id_rsa.pub, and known_hosts. Here's a screenshot of my setup/copy-paste job:

I can re-try the process later on Windows or Linux, although I'd be surprised if that would fix anything. I could try with PuTTY on Windows.

I'm seeing some screenshots online of public keys with "==" at the end of the key, not sure if that could be it.

I am using the SSH (RSA) key generator in MobaXterm located in the Tool menu. You can save it to the location of your choosing. MobaXterm is for windows though. Here is one link to the manual method for Mac OS
https://docs.joyent.com/public-clou.../manually-generating-your-ssh-key-in-mac-os-x

 

[8443]

I tried the process again on Windows with PuTTY and received a similar error - apparently in PuTTY, if you export the public key to a file the format is incorrect, so you should paste it directly from the box it generated it in, which I did. I tried the ssh-keygen process on Fedora and again, same error as macOS. I'm directly copy pasting. From what I've seen online formatting is very important, but I've tried numerous sources and copy/pastes through different mediums to no avail.

 

[8443]

That is the process that I have been using on macOS and similarly for Fedora, Xentrk.

 

[martinr]

Then it makes me think there's nothing wrong with what you are doing and the problem lies at a tangent, elsewhere

Perhaps clear your syslog in the GUI, try to SSH in again, and let's see if the syslog entries tell a more detailed story.

Have you tried, for the sheer hell of it, setting temporarily to password login, and just to prove that you can login with SSH using the admin username and password. It probably won't help in the slightest, but at least you'll be happy that it is possible to SSH in.

 

[8443]

This is what the sys log on the router itself says when I attempt SSH:
Aug 1 15:43:12 dropbear[4558]: Child connection from 192.168.1.12:54380
Aug 1 15:43:12 dropbear[4558]: Login attempt for nonexistent user from 192.168.1.12:54380
Aug 1 15:43:12 dropbear[4558]: Login attempt for nonexistent user from 192.168.1.12:54380
Aug 1 15:43:12 dropbear[4558]: Exit before auth: Exited normally

macOS syslog says:
default 10:29:49.685809 -0400 symptomsd a wifi flow named ssh is ignored (directly reachable target)

As far as the password login - how do I set the actual password? The password for the router web config is met with permission denied.

 

[Jack Yaz]

This is what the sys log on the router itself says when I attempt SSH:
Aug 1 15:43:12 dropbear[4558]: Child connection from 192.168.1.12:54380
Aug 1 15:43:12 dropbear[4558]: Login attempt for nonexistent user from 192.168.1.12:54380
Aug 1 15:43:12 dropbear[4558]: Login attempt for nonexistent user from 192.168.1.12:54380
Aug 1 15:43:12 dropbear[4558]: Exit before auth: Exited normally

macOS syslog says:
default 10:29:49.685809 -0400 symptomsd a wifi flow named ssh is ignored (directly reachable target)

As far as the password login - how do I set the actual password? The password for the router web config is met with permission denied.

Are the username for the mac and router different?