I can access my Turris Omnia router on my LAN via …
ssh root@turris.local
followed by manually entering my Password.
I’ve done the normal SSH-COPY-ID root@turris.local from my laptop’s User/.ssh directory but when I try testing my key-based access…I’m still prompted for my password.
Is this type of access allowed, and if so, does it need to be first enabled somehow in the Luci/Foris admin interfaces?
Yes … the access to the router via SSH with key is supported.
Perhaps I should have been more clear.
I use SSH with keys on over a dozen other servers using the SSH-COPY-ID key exchange utility and can readily access my Turris with SSH and a password.
What I don’t understand is why same method to establish password-less SSH that works on all my other servers, fails with my Turris Omnia after which I still have to use a password to gain SSH access?
Do you know the specific process or utilities required to establish key-based Turris access by SSH clients without the use of passwords?
Have you enabled PubkeyAuthentication in your /etc/ssh/sshd_config?
OpenWrt, and Turris, use dropbear not openssh:
Which os/distro/version do you have? There have been changes in ssh key authentication e.g. in newest Debian (12).
I needed do add to my ssh_config:
Host gw
PubkeyAcceptedAlgorithms +ssh-rsa
I’m running Turris OS 6.4.4
My client desktop is latest OSX Sonoma
All my other servers are Debian 12.4 and I’m able to use SSH-COPY-ID user@ip-address from my ~/.ssh directory with my keys, after which I can simply access all my servers with
ssh user@ip-address
However I don’t understand why I’m unable to do this with my Turris router.
Even after uploading keys to Turris, I can only SSH to my router with a password.
Where on my Turris router are the keys kept for clients allowed SSH access?
The DropBear instructions seem to indicate I can use my pre-existing keys and simply use
SSH-COPY-ID user@turris.local or
SSH-COPY-ID user@192.168.1.1
But neither of those approaches work.
Alternatively, the DropBear docs say I can upload my key to the router via LUCI web interface by:
Navigating to LuCI → System → Administration → SSH-Keys
However, that menu path does not lead to SSH-Keys but rather to a form to change the router’s password.
On my Turris router or my desktop client?
Made changes to following lines in /etc/ssh/sshd_config
PubkeyAuthentication yes
PubkeyAcceptedAlgorithms +ssh-rsa
And I’m now completely locked out of ALL ssh connections with or without password.
OpenWrt, and Turris, use dropbear not openssh:
Dropbear is available as an option in Turris OS, but the default is OpenSSH (currently 8.4p1).
Its configuration keeps the default values of the parameters related to key authentication. It means that the autentication via keys is enabled. The only thing you have to do is to add your public key into /root/.ssh/authorized_keys. Then you should be able to login as root via your SSH key. I’ve tried it now in the current TOS 6.4.4 and in the prepared 6.5.0 and it worked in both.
Verify the access rights for authorized_keys. If they are too broad the sshd will refuse to use that file.
So I need to manually upload my public key into /root/.ssh/authorized_keys rather than use SSH-COPY-ID from my client machine?
Any idea why SSH-COPY-ID method is disallowed in Turris/OpenWRT?
Where exactly was that said?
Since SSH-COPY-ID works to upload public keys to all my other servers, why is that common method failing with Turris/OpenWRT? If I can manually upload the public key file why is Turris’s default OpenSSH software not interacting with SSH-COPY-ID?
I’m currently locked out of my router but when I’ve regained access plan to look around at the defaults and try to make such changes (and a snapshot to capture them) that will permit use of SSH-COPY-ID and not require manual file uploading and/or tweaking which got me locked out to begin with.
I may wait until TurrisOS 6.5 is officially out then completely reflash my router’s firmware.
ssh-copy-id is relatively simple shell script, that uploads the public key over sftp. OpenSSH has no way of knowing the use of ssh-copy-id.
Did you check the permissions on authorized_keys?
You can get the emergency SSH access by following steps described in the official documentation.
I prefer and suggest to MANUALLY upload they keys enabling control onto my infrastructure. And to have have rigid reporting on the keys placed there.
Yes, there are needs and ways to automate this (for larger setups), but applicants should know what they are doing where and from where and when. Assume at least that your devices aren’t “secure” or “uninfiltrated”.
I do experience the same issue for my personal user on Turris Omnia (do not like the idea of woking as root allways and everywhere):
looks like you may try to enable PubkeyAuthentication in your /etc/ssh/sshd_config
no idea why this is no default? May be I did not get it, however, I do suffer from the same issue: ssh-copy was successful and SSH with key does not work.
manual upload of keys??? Just an excuse IMHO. Never did that, do not intend to do that, did not help to resolve any issue in my experience.
BTW: If you invoke ssh in verbose mode ssh -v talks about reasons why it refuses a key 
# on client that has key[s] (e.g. your laptop)
scp ~/.ssh/<my_key[s]>.pub root@turris.local:/root/.ssh/authorized_keys # log in with password once
# restart turris
ssh root@turris.local # no pw should be required
Once access via SSH key is confirmed, it’s best practice to disable SSH password access altogether:
vi /etc/ssh/sshd_config and ensure:
PasswordAuthentication no