dropbear icon indicating copy to clipboard operation
dropbear copied to clipboard
verified publisher icon mkj

Dropbear not accepting SSH auth using public keys

Open zajdee opened this issue 5 months ago • 1 comments

Hello,

there's a vendor (Ubiquiti) using Dropbear in their gear. One of their equipment (airFiber 60 LR) has recently got a firmware update (GP.v2.6.6) with Dropbear v2025.87 on it.

GP# /bin/dropbear -h
Dropbear server v2025.87 https://matt.ucc.asn.au/dropbear/dropbear.html

Since this update, logging in using SSH keys doesn't work anymore. I can't figure out how to get any useful logs from Dropbear, so that's why I'm writing here.

For debugging, I am launching Dropbear as follows:

GP# /bin/dropbear -E -F -r /etc/persistent/dropbear_rsa_host_key -r /etc/persistent/dropbear_ed25519_host_key -p 2222 -D /etc/persistent/.ssh
[22060] Jul 20 09:01:12 Not backgrounding
[22061] Jul 20 09:01:17 Child connection from 10.0.0.2:51793
[22061] Jul 20 09:01:20 Exit before auth from <10.0.0.2:51793>: (user 'ubnt', 0 fails): Exited normally
[22063] Jul 20 09:02:24 Child connection from 10.0.0.2:52082
[22063] Jul 20 09:02:36 Exit before auth from <10.0.0.2:52082>: (user 'ubnt', 0 fails): Exited normally
[22064] Jul 20 09:03:05 Child connection from 10.0.0.2:52258
[22064] Jul 20 09:08:05 Exit before auth from <10.0.0.2:52258>: (user 'ubnt', 0 fails): Timeout before auth

(The system launches Dropbear as /bin/dropbear -F -r /etc/persistent/dropbear_rsa_host_key -r /etc/persistent/dropbear_ed25519_host_key -p and /etc/persistent/.ssh is the root user's home directory)

The authorized_keys file is present, has the correct permissions, and content.

GP# ls -la /etc/persistent/.ssh
drwx------    2 ubnt     admin            0 Jul 18 11:33 .
drwxr-xr-x    4 ubnt     admin            0 Jul 18 11:33 ..
-rw-------    1 ubnt     admin         1753 Jul 20 08:58 authorized_keys

The issue persists even when the authorized_keys file is present in /etc/dropbear.

GP# cat /etc/persistent/.ssh/authorized_keys
ssh-rsa (key1) [email protected]
ssh-rsa (key2) [email protected]
ssh-ed25519 (key3) [email protected]
ssh-rsa (key4) [email protected]
ssh-ed25519 (key5) [email protected]

Note that the root user is renamed to ubnt in the system, and the root group is renamed to admin:

GP# id
uid=0(ubnt) gid=0(admin)

The SSH client tries all my keys (RSA and ED25519), the Dropbear server still reports it's accepting the publickey authentication, but none of the keys is accepted.

debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug3: kex_input_ext_info: extension server-sig-algs
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,rsa-sha2-256,ssh-rsa>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug3: ssh_get_authentication_socket_path: path '/private/tmp/com.apple.launchd.kZak9wnXxV/Listeners'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /Users/user/.ssh/key4 RSA SHA256:FhyoAHTK5sTqV2s+Fw3KufRqRVI/h2SLg5hqrAhXN6o explicit agent
debug1: Will attempt key: /Users/user/.ssh/key5 ED25519 SHA256:/LrXZ+DgNSadYyBfyNiD3BknwdfQ7BFPBMEoT5eOZAQ agent
debug2: pubkey_prepare: done
debug1: Offering public key: /Users/user/.ssh/key4 RSA SHA256:FhyoAHTK5sTqV2s+Fw3KufRqRVI/h2SLg5hqrAhXN6o explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/user/.ssh/key5 ED25519 SHA256:/LrXZ+DgNSadYyBfyNiD3BknwdfQ7BFPBMEoT5eOZAQ agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:

How can I debug this further, please? Is there something to check? What types of keys are accepted in v2025.87?

zajdee avatar Jul 20 '25 07:07 zajdee

Dropbear 2025.87 should accept RSA and ed25519 if they're configured, and it looks like they are

debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,rsa-sha2-256,ssh-rsa>

Might be worth contacting Ubiquiti support, I assume they have made modifications at least to use a custom authorized_keys path.

mkj avatar Jul 20 '25 12:07 mkj