Dropbear Public Key Authentication

betov · 16 January 2023 23:16

Good day, I tried to log in with a public/private key (I use SSH dropbear) by following these steps:

ssh-keygen 
ssh-copy-id dietpi@ipserver

In this case I throw a permission error because I have disabled access to ssh with root user, so I had to re-enable the root user to ssh and run the command in mention

ssh-copy-id root@ipserver

The authorized key is placed in /etc/dropbear/authorized_keys

after copying /etc/dropbear/authorized_keys to /home/dietpi/.ssh/authorized_keys that is my user, since I want to use it in a specific user not at root, as it will be disabled later

later switch permits

chmod 700 /etc/dropbear
chmod 600 /etc/dropbear/authorized_keys

However, SSH access doesn’t work through the public/private key, you could help me please if I’m doing something wrong, thank you and greetings

Jappe · 16 January 2023 23:55

How do you connect via ssh? What client to you use?

betov · 17 January 2023 03:25

Hi, thanks for answer, I’m using cygwin64, But the problem is that he doesn’t ask me for the private public key, he just asks me for the password and lets me in without problems. Regards

Joulinar · 17 January 2023 07:17

I never used cygwin but is there a point within client configuration where you can specify the privat SSH key to be used? At least this is how it works within Putty.

trendy · 17 January 2023 09:21

I am also using non-root user to login.
Public keys are stored in ~/.ssh/authorized_keys

betov · 17 January 2023 16:18

Thank you for answering, you could confirm to me if the way I mention is the right way to start session? And you could explain to me how you connect with your private public keys, thank you.

trendy · 17 January 2023 16:35

Do a ls -la to verify that the permissions are good.
Then you need to specify where the private key is on the ssh client. By default they are in the same folder.

Joulinar · 17 January 2023 16:36

Location should be correct. Personally, I use Putty SSH client. There I can specify user and privat key file to be used.

Important to have correct permissions.

chmod 700 /home/dietpi/.ssh
chmod 600 /home/dietpi/.ssh/authorized_keys

Jan 17 18:05:04 DietPiProd dropbear[27309]: Pubkey auth succeeded for 'dietpi' with key sha1!! a7:x from 192.168.0.x

betov · 17 January 2023 17:43

Think it generates bad the keys I’m a little lost, I attach the catches the way I try to connect and permits, if you see any mistake I’ll appreciate your feedback.

How I try to connect with private key :

$ ssh -i id_rsa dietpi@10.10.2.2
dietpi@10.10.2.2's password:

trendy · 17 January 2023 18:37

sudo chown dietpi:dietpi /home/dietpi/.ssh/authorized_keys

betov · 17 January 2023 20:12

With this change you automatically connect to the dietpi user, but using the traditional method, is it normal? If I use another ssh client requests password that I guess is correct, I hope your feedback.
dietpi_ssh

trendy · 17 January 2023 20:16

The whole point is to let the owner of the private key without password. The rest login by entering the password.

betov · 17 January 2023 20:25

I understand that part, but my doubt is if it is normal to log in without specifying the key, as I show in the video or what I did wrong, thanks and greetings

Joulinar · 17 January 2023 20:40

where is the private key located? Within the same client directory you start the SSH session from?

trendy · 17 January 2023 21:09

From man ssh

 -i identity_file

         Selects a file from which the identity (private key) for public
         key authentication is read.  The default is ~/.ssh/id_dsa,
         ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
         ~/.ssh/id_ed25519_sk and ~/.ssh/id_rsa.  Identity files may also
         be specified on a per-host basis in the configuration file.  It
         is possible to have multiple -i options (and multiple identities
         specified in configuration files).  If no certificates have been
         explicitly specified by the CertificateFile directive, ssh will
         also try to load certificate information from the filename ob‐
         tained by appending -cert.pub to identity filenames.

So if your private key is found in there and matches, you’re good to go.

MichaIng · 17 January 2023 21:56

A known bug in ssh-copy-id btw: [ssh-copy-id] Do not treat Dropbear special by MichaIng · Pull Request #250 · openssh/openssh-portable · GitHub

This is the commit which broke it (“as in OpenWRT” means special handling for non-default Dropbear usage…): git.hands.com Git - ssh-copy-id.git/commit

Sadly Philip is not answering my emails.

betov · 17 January 2023 22:06

I think, if this is the route:

ksl6s@PC-DESKTOPL-BETO ~/.ssh
$ pwd
/home/ksl6s/.ssh

ksl6s@PC-DESKTOPL-BETO ~/.ssh
$ ls
id_rsa  id_rsa.pub  known_hosts  known_hosts.old

betov · 17 January 2023 22:12

Thanks to everyone it seems to be a matter of permission and my ignorance of how the connection ssh works through private keys, greetings and thanks again