Hello Guest, if you are reading this it means you have not registered yet. Please take a second, Click here to register, and in a few simple steps you will be able to enjoy our community and use our OpenViX support section.
Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: Engima2 enable ssh key access only

  1. #1

    Title
    Senior Member
    Join Date
    Dec 2012
    Posts
    188
    Thanks
    126
    Thanked 37 Times in 21 Posts

    Engima2 enable ssh key access only

    hi

    I need to access a receiver remotely but before i do i want to only allow ssh access with a key. i cant seem to find the ssh config file i am familiar with Lunix but it doesn't seem to be in the usual places like in the /etc dir or in the init dir.

    where else would the ssh config file be?

    any ideas?

    thanks for any help.

  2. #2
    birdman's Avatar
    Title
    Moderator
    Join Date
    Sep 2014
    Location
    Hitchin, UK
    Posts
    7,769
    Thanks
    235
    Thanked 1,656 Times in 1,305 Posts
    Quote Originally Posted by Alankellyeire View Post
    I need to access a receiver remotely but before i do i want to only allow ssh access with a key. i cant seem to find the ssh config file i am familiar with Lunix but it doesn't seem to be in the usual places like in the /etc dir or in the init dir.
    It's running busybox, so the ssh is dropbear.
    You'll find the key as /etc/dropbear/dropbear_rsa_host_key. You'll need to run dropbearconvert on any ssh rsa/dsa key you already have.
    Also - add /etc/dropbear to the backup locations, so that you keep the same key over any re-flash + restore.
    MiracleBox Prem Twin HD - 2@DVB-T2 + Xtrend et8000 - 5(incl. 2 different USBs)@DVB-T2[terrestrial - UK Freeview HD, Sandy Heath] - LAN/USB-stick/HDD

  3. The Following 2 Users Say Thank You to birdman For This Useful Post:

    Alankellyeire (17-04-17),Bangord30 (17-04-17)

  4. #3

    Title
    Senior Member
    Join Date
    Dec 2012
    Posts
    188
    Thanks
    126
    Thanked 37 Times in 21 Posts
    hey

    i managed to convert the key using the following command just in case anyone else was wondering

    Code:
    dropbearconvert openssh dropbear /home/me/.ssh/id_rsa /etc/dropbear/dropbear_rsa_host_key

    im still being asked for a password. any ideas?

    do i need to change a setting and is there a way to turn off password access like openssh

  5. The Following User Says Thank You to Alankellyeire For This Useful Post:

    Bangord30 (17-04-17)

  6. #4
    birdman's Avatar
    Title
    Moderator
    Join Date
    Sep 2014
    Location
    Hitchin, UK
    Posts
    7,769
    Thanks
    235
    Thanked 1,656 Times in 1,305 Posts
    Quote Originally Posted by Alankellyeire View Post
    im still being asked for a password. any ideas?
    Are you telling ssh that you want to login as root (ssh root@vixbox)? If not it will prompt you for a password as that key only applies to root.

    .... and is there a way to turn off password access like openssh
    These relevant options exist for the dropbear server (there are others - type "dropbear -?" to get them all.
    -w Disallow root logins
    -s Disable password logins
    -g Disable password logins for root
    -B Allow blank password logins

    You can set these by editing the /etc/default/dropbear file and setting the DROPBEAR_EXTRA_ARGS value. The default sets -B.
    If you change that file add it to your backup list as well.
    MiracleBox Prem Twin HD - 2@DVB-T2 + Xtrend et8000 - 5(incl. 2 different USBs)@DVB-T2[terrestrial - UK Freeview HD, Sandy Heath] - LAN/USB-stick/HDD

  7. The Following 2 Users Say Thank You to birdman For This Useful Post:

    Alankellyeire (18-04-17),Bangord30 (18-04-17)

  8. #5

    Title
    Senior Member
    Join Date
    Dec 2012
    Posts
    188
    Thanks
    126
    Thanked 37 Times in 21 Posts
    Quote Originally Posted by birdman View Post
    Are you telling ssh that you want to login as root (ssh root@vixbox)? If not it will prompt you for a password as that key only applies to root.

    These relevant options exist for the dropbear server (there are others - type "dropbear -?" to get them all.
    -w Disallow root logins
    -s Disable password logins
    -g Disable password logins for root
    -B Allow blank password logins

    You can set these by editing the /etc/default/dropbear file and setting the DROPBEAR_EXTRA_ARGS value. The default sets -B.
    If you change that file add it to your backup list as well.
    Im converting my rsa public key(id.rsa.pub) after transferring it to the vix box using scp. i then run dropbearconvert but get an error
    Code:
    Error: File does not begin with OpenSSH key header
    Error reading key from '/home/root/.ssh/id_dsa.pub'
    i have tried with the private key also on a mac el captian and ubuntu 14.04 which the same results for both.

    Am i missing a step? any guide online i can find are for windows using putty gen.

    here is some of the output from the debug
    Code:
    debug1: Host '192.168.0.103' is known and matches the RSA host key.
    debug1: Found key in /Users/AlanKelly/.ssh/known_hosts:9
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /Users/AlanKelly/.ssh/id_rsa
    debug1: Authentications that can continue: publickey,password
    debug1: Trying private key: /Users/AlanKelly/.ssh/id_dsa
    debug1: Trying private key: /Users/AlanKelly/.ssh/id_ecdsa
    debug1: Trying private key: /Users/AlanKelly/.ssh/id_ed25519
    debug1: Next authentication method: password
    root@192.168.0.103's password: 
    debug1: Authentication succeeded (password).
    Authenticated to 192.168.0.103 ([192.168.0.103]:22).
    debug1: channel 0: new [client-session]
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_IE.UTF-8

  9. #6
    birdman's Avatar
    Title
    Moderator
    Join Date
    Sep 2014
    Location
    Hitchin, UK
    Posts
    7,769
    Thanks
    235
    Thanked 1,656 Times in 1,305 Posts
    [QUOTE=Alankellyeire;447013]Im converting my rsa public key(id.rsa.pub) after transferring it to the vix box using scp. i then run dropbearconvert but get an error
    Code:
    Error: File does not begin with OpenSSH key header
    Error reading key from '/home/root/.ssh/id_dsa.pub'
    It needs to be the private key. This is what happens with my pub/priv keys.

    Code:
    root@et8000:~# dropbearconvert openssh dropbear id_rsa.pub db.rsa
    Error: File does not begin with OpenSSH key header
    Error reading key from 'id_rsa.pub'
    root@et8000:~# dropbearconvert openssh dropbear id_rsa db.rsa
    Key is a ssh-rsa key
    Wrote key to 'db.rsa'
    However - while checking this it occurred to me that this is the host key. the one that a client can check to ensure it's reached the right host (or at least the same host as last time). It's specific to the host, so no point in generating it from your own key (although it does help to back it up so that it remains the same over any re-flash).

    So in fact I can't see anywhere that the box saves keys for checking. Indeed - I can slogin to root from an account that knows nothing about any ssh keys at all.

    A debug log when I login contains this:
    Code:
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentication succeeded (none).
    Authenticated to et8000 ([192.168.1.154]:22).
    debug1: channel 0: new [client-session]
    debug1: Entering interactive session.
    debug1: pledge: network
    debug1: Sending environment.
    Sorry about the misleading info.
    MiracleBox Prem Twin HD - 2@DVB-T2 + Xtrend et8000 - 5(incl. 2 different USBs)@DVB-T2[terrestrial - UK Freeview HD, Sandy Heath] - LAN/USB-stick/HDD

  10. The Following User Says Thank You to birdman For This Useful Post:

    Alankellyeire (20-04-17)

  11. #7

    Title
    Senior Member
    Join Date
    Dec 2012
    Posts
    188
    Thanks
    126
    Thanked 37 Times in 21 Posts
    [QUOTE=birdman;447025]
    Quote Originally Posted by Alankellyeire View Post
    Im converting my rsa public key(id.rsa.pub) after transferring it to the vix box using scp. i then run dropbearconvert but get an error
    Code:
    Error: File does not begin with OpenSSH key header
    Error reading key from '/home/root/.ssh/id_dsa.pub'
    It needs to be the private key. This is what happens with my pub/priv keys.

    Code:
    root@et8000:~# dropbearconvert openssh dropbear id_rsa.pub db.rsa
    Error: File does not begin with OpenSSH key header
    Error reading key from 'id_rsa.pub'
    root@et8000:~# dropbearconvert openssh dropbear id_rsa db.rsa
    Key is a ssh-rsa key
    Wrote key to 'db.rsa'
    However - while checking this it occurred to me that this is the host key. the one that a client can check to ensure it's reached the right host (or at least the same host as last time). It's specific to the host, so no point in generating it from your own key (although it does help to back it up so that it remains the same over any re-flash).

    So in fact I can't see anywhere that the box saves keys for checking. Indeed - I can slogin to root from an account that knows nothing about any ssh keys at all.

    A debug log when I login contains this:
    Code:
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentication succeeded (none).
    Authenticated to et8000 ([192.168.1.154]:22).
    debug1: channel 0: new [client-session]
    debug1: Entering interactive session.
    debug1: pledge: network
    debug1: Sending environment.
    Sorry about the misleading info.
    Yes I have tried it with the private key and it writes it to the file but any guide I am coming across say it should be the public key. Ok so just to be clear your saying it's not possible at all because dropbear doesn't generate a key? Maybe this is why I'm finding it so hard to find any guides on the matter.

  12. #8
    birdman's Avatar
    Title
    Moderator
    Join Date
    Sep 2014
    Location
    Hitchin, UK
    Posts
    7,769
    Thanks
    235
    Thanked 1,656 Times in 1,305 Posts
    Quote Originally Posted by Alankellyeire View Post
    Ok so just to be clear your saying it's not possible at all because dropbear doesn't generate a key? Maybe this is why I'm finding it so hard to find any guides on the matter.
    There are multiple keys involved in an ssh connexion.

    • The host key, which let's you know you are connecting the same host as last time. This gets saved (well, a signature does) in your local known_hosts file (at least on Unix/Linux). This is what the /etc/dropbear/dropbear_rsa_host_key key is.
    • Authentication keys. This is where you'd have the private key on the client side to be checked against the public key on the server side. These would be under ~/.ssh. These don't seem to be used at all.
    MiracleBox Prem Twin HD - 2@DVB-T2 + Xtrend et8000 - 5(incl. 2 different USBs)@DVB-T2[terrestrial - UK Freeview HD, Sandy Heath] - LAN/USB-stick/HDD

  13. The Following User Says Thank You to birdman For This Useful Post:

    Alankellyeire (20-04-17)

  14. #9

    Title
    Senior Member
    Join Date
    Dec 2012
    Posts
    188
    Thanks
    126
    Thanked 37 Times in 21 Posts
    Quote Originally Posted by birdman View Post
    There are multiple keys involved in an ssh connexion.

    • The host key, which let's you know you are connecting the same host as last time. This gets saved (well, a signature does) in your local known_hosts file (at least on Unix/Linux). This is what the /etc/dropbear/dropbear_rsa_host_key key is.
    • Authentication keys. This is where you'd have the private key on the client side to be checked against the public key on the server side. These would be under ~/.ssh. These don't seem to be used at all.
    Thanks. I'll look into installing openssh or something like it so.

    I appreciate the help.

  15. #10
    birdman's Avatar
    Title
    Moderator
    Join Date
    Sep 2014
    Location
    Hitchin, UK
    Posts
    7,769
    Thanks
    235
    Thanked 1,656 Times in 1,305 Posts
    Quote Originally Posted by birdman View Post
    It's running busybox, so the ssh is dropbear.
    Not quite sure why I though the former meant the latter.

    Anyway - I (think) I've worked out a way to do it.

    1. Create a .ssh directory for root.
    2. Put an authorized_keys file in . This should contain the public copy of the key you wish to authenticate with (one line starting ssh-rsa.....).
    3. Then change the /etc/default/dropbear file to contain:
      Code:
      DROPBEAR_EXTRA_ARGS="-g"


    For this to persists over any reflashes you'll need to add /etc/default/dropbear and /home/root/.ssh to the backup file list.
    MiracleBox Prem Twin HD - 2@DVB-T2 + Xtrend et8000 - 5(incl. 2 different USBs)@DVB-T2[terrestrial - UK Freeview HD, Sandy Heath] - LAN/USB-stick/HDD

  16. The Following User Says Thank You to birdman For This Useful Post:

    Alankellyeire (20-04-17)

  17. #11

    Title
    Senior Member
    Join Date
    Dec 2012
    Posts
    188
    Thanks
    126
    Thanked 37 Times in 21 Posts
    Quote Originally Posted by birdman View Post
    Not quite sure why I though the former meant the latter.

    Anyway - I (think) I've worked out a way to do it.

    1. Create a .ssh directory for root.
    2. Put an authorized_keys file in . This should contain the public copy of the key you wish to authenticate with (one line starting ssh-rsa.....).
    3. Then change the /etc/default/dropbear file to contain:
      Code:
      DROPBEAR_EXTRA_ARGS="-g"


    For this to persists over any reflashes you'll need to add /etc/default/dropbear and /home/root/.ssh to the backup file list.
    no luck bud.

    this has me baffled. on the man page it says dropbearconvert is needed to convert the private key either openssh or dropbear to the other. since mac and Ubuntu use openssh shouldn't i need to use it.

    im going to keep searching, if i find a solution or anything helpful ill post it here.

    thanks

  18. #12
    birdman's Avatar
    Title
    Moderator
    Join Date
    Sep 2014
    Location
    Hitchin, UK
    Posts
    7,769
    Thanks
    235
    Thanked 1,656 Times in 1,305 Posts
    Quote Originally Posted by Alankellyeire View Post
    this has me baffled. on the man page it says dropbearconvert is needed to convert the private key either openssh or dropbear to the other. since mac and Ubuntu use openssh shouldn't i need to use it.
    You don't need to convert any keys.

    Oh. and I forgot to add the final point above.

    Restart* dropbear, or reboot the system (which will achieve the same thing):

    *
    Code:
    /etc/init.d/dropbear restart
    Last edited by birdman; 21-04-17 at 00:20.
    MiracleBox Prem Twin HD - 2@DVB-T2 + Xtrend et8000 - 5(incl. 2 different USBs)@DVB-T2[terrestrial - UK Freeview HD, Sandy Heath] - LAN/USB-stick/HDD

  19. The Following User Says Thank You to birdman For This Useful Post:

    Alankellyeire (21-04-17)

  20. #13

    Title
    Senior Member
    Join Date
    Dec 2012
    Posts
    188
    Thanks
    126
    Thanked 37 Times in 21 Posts
    I have been restarting after every settings change but still no luck. I try again when I finish work and I'll post all the commands Im using.

    Can you connect to your box using keys generated using openssh? Like I'm trying to do?

  21. #14
    birdman's Avatar
    Title
    Moderator
    Join Date
    Sep 2014
    Location
    Hitchin, UK
    Posts
    7,769
    Thanks
    235
    Thanked 1,656 Times in 1,305 Posts
    Quote Originally Posted by Alankellyeire View Post
    Can you connect to your box using keys generated using openssh? Like I'm trying to do?
    Yes, I just copy the id_rsa.pub file from the account I want to connect to root to /home/root/.ssh/authorized_keys.

    Having done that and restarted dropbear with a "-g" option the result is:

    Account with that id_rsa.pub
    Code:
    [parent]: slogin root@et8000
    root@et8000:~#
    Account without that id_rsa.pub
    Code:
    tester@parent ~ $ slogin root@et8000
    root@et8000's password: 
    Permission denied, please try again.
    It still prompts for a password, so that you don't know why it's not letting you in.

    if I wanted to allow multiple accounts to connect I'd just catenate all of their id_rsa.pub files into the authorized_keys file.
    MiracleBox Prem Twin HD - 2@DVB-T2 + Xtrend et8000 - 5(incl. 2 different USBs)@DVB-T2[terrestrial - UK Freeview HD, Sandy Heath] - LAN/USB-stick/HDD

  22. The Following User Says Thank You to birdman For This Useful Post:

    Alankellyeire (21-04-17)

  23. #15

    Title
    Senior Member
    Join Date
    Dec 2012
    Posts
    188
    Thanks
    126
    Thanked 37 Times in 21 Posts
    hey bud i got it working. your method was right and no need to convert the key. i think that i was copying and pasting the key in manually instead of just catenating the file with the key was my issue. i never had an issuing doing it before but thats the only difference between now and my previous attempts.

    i cant believe it. it is the exact same as openssh and here was me about to pull out my last few hairs.

    here are the commands i used in case someone else is having trouble.

    generate key on your client
    Code:
    ssh-keygen -t rsa
    transfer the public key to ur enigma box using secure copy
    Code:
    scp ~/.ssh/id_rsa.pub root@<BOX-IP>:/home/root/.ssh/id_rsa.pub
    catenate the authorized_keys file with the public key. if there isnt a authorized_keys file make it.
    Code:
    cat ~/.ssh/id_rsa.pub >> /home/root/.ssh/authorized_keys
    add the no password option below to the dropbear config file. use the text editor vi.
    Code:
    DROPBEAR_EXTRA_ARGS="-s"
    now restart dropbear
    Code:
    /etc/init.d/dropbear restart
    Last edited by Alankellyeire; 21-04-17 at 20:23.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
This website uses cookies
We use cookies to store session information to facilitate remembering your login information, to allow you to save website preferences, to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.