SSH Server configuration


#1

Hello All,
I’ve received my Turris Omnia today! What a wonderful piece of hardware!
I’ve a question regarding ssh-server.
In the Luci interface I’ve found it installed and activated at boot, but no way to login into the router.
I’ve tried to install dropbear, and added a rule inside the firewall, but with no luck.
Any suggestion?
Thanks for your help.
Lorenzo


#2

It comes with openssh preinstalled listening on internal network (no need for dropbear), so after going through the configuration wizard (and setting password for advanced interface - aka LuCI) you should be able to connect via ssh directly to your router from your LAN network. Does this work? Just checking before going to the next step - making ssh available on WAN.


#3

Hi Miska,
thanks for your fast reply.
Actually it seems that the default ssh-server doesn’t work properly.
I’ve uninstalled it and installed dropbear and it works like a charm :slight_smile:
Dropbear is listening only on LAN interface.
Thanks!


#4

Hi I had same problem. I solved this with delete all files /etc/ssh/ssh_host* with LuCI run command and restart ssh.


#5

(bohuzel maji pravdu)

Yeap, they are right.
Even if you select Advanced config password (http:///config/system-password/ ) then sshd is NOT enabled.
Port 22 is simply down. And yes, Im at LuCI.

FIX: http://i.imgur.com/sSd7A27.png
(call those command via custom-command call - http:///cgi-bin/luci/admin/system/commands)

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key 
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key

ls -al /etc/ssh
/etc/init.d/sshd start

(more: ask.xmodulo.com/sshd-error-could-not-load-host-key.html)

Note: you can open port 23 ( /config/data-collection/ ) but thats honeypot :wink: So dont go there.
Issue: http://i.imgur.com/7k8h86R.png

For debug (and developers):
# /etc/init.d/sshd start key_load_public: invalid format Could not load host key: /etc/ssh/ssh_host_rsa_key key_load_public: invalid format Could not load host key: /etc/ssh/ssh_host_dsa_key key_load_public: invalid format Could not load host key: /etc/ssh/ssh_host_ecdsa_key key_load_public: invalid format Could not load host key: /etc/ssh/ssh_host_ed25519_key Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting.


#6

Well I solved this issue only deleting host keys, and then restarting sshd service.
Now works correctly.
Thanks for your help :slight_smile:


#7

Thanks for reporting the issue. It probably happens when the power is removed shortly after generating of the SSH host keys. We are preparing a fix for the init script which should cope with this problem. A workaround is to reset the router to factory defaults. Just press the button on the back of the router until three LEDs are lit (i.e. two red and one green). More information can be found in our documentation: https://www.turris.cz/doc/en/howto/omnia_factory_reset


#8

It also happened to me (generation of empty SSH host keys). By far the most anoying thing when you receive and start to use a Turris Omnia. In my case, there was no power failure at all. I assume ti happened because I aborted the wizard, then resumed it.


#9

It also happened to me as you said. There was no power failure at all.

// This should be fixed by update, but for my case Omnia had same local ip address as Turris, so I need to skip wizard (because you can edit local IP address in step no. 8) I setup it in Foris and then I continue by wizard and it was OK.


#10

I got a problem configuring the ssh-server, too. I can set a custom ssh-port and connect via ssh using the passwort-prompt, but I want to connect via key file.
My usually steps to achive this are:

  • define the autorizedkeysfile in sshd:
    option AuthorizedKeysFile /etc/ssh/authorized_keys
  • make new file /etc/ssh/authorized_keys with restrictions 0600 and c/p the public key reveived from puttygen.exe
  • restart /etc/init.d/sshd

Unfortunately WinSCP keeps telling me turris omnia refuses my pubkey.


#11

Did you remember to put your modification in /etc/config/sshd?


#12

Yep, I did. Saved several times… :frowning:


#13

bump
Noone got an idea where to put my key?


#14

If you cut’n’pasted a key to the file authorized_keys check that the key is still on one line and not broken to multiple lines by newlines in the middle of the key.


#15

And I have not used WinSCP but check if you can turn on verbose or debugging options and if they reveal anything. You can also check if there are any errors in /var/log/messages related to SSH, either in start up of SSH or when you try to connect.


#16

Thanks.
I turned on VERBOSE-loglevel and tried again, resulting in the following log-entries:
2016-12-14T22:10:23+01:00 info sshd[12532]: Connection from 192.168.{...} port 55532 on 192.168.xx.1 port yyyy 2016-12-14T22:10:23+01:00 info sshd[12532]: Authentication refused: bad ownership or modes for directory / 2016-12-14T22:10:23+01:00 info sshd[12532]: Failed publickey for root from 192.168.{...} port 55532 ssh2: RSA SHA256:{...}


#17

Got it:
You have to
chmod 755 / ; chmod 755 /etc ; chmod 755 /etc/ssh ; chmod 600 authorized_keys
Thanks for you help!


#18

It doesn’t like the group write permissions on the / directory. You can try to change the permissions of / directory with a command “chmod g-w /” but if you make a mistake with the permissions of / directory the whole system might stop working and require factory reset or reflashing.

Other option is to disable the security check with option “StrictModes off” and finally probably the safest and secure solution is to try to use default /root/.ssh/authorized_keys for storing the key.


#19

I had similiar problem with ssh. Nothing helped so finaly I backup my router configuration and did factory reset. After factory reset SSH worked ok.


#20

Can you please create a Luci package for the SSH server?
Open-WRT uses Dropbear and it has a web page in Luci.

Same for the DNS resolver, it has be replaced, but the Luci interface is for dnsmasq.