Dropbear not accepting SSH auth using public keys #371
Description
Hello,
there's a vendor (Ubiquiti) using Dropbear in their gear. One of their equipment (airFiber 60 LR) has recently got a firmware update (GP.v2.6.6) with Dropbear v2025.87 on it.
GP# /bin/dropbear -h
Dropbear server v2025.87 https://matt.ucc.asn.au/dropbear/dropbear.html
Since this update, logging in using SSH keys doesn't work anymore.
I can't figure out how to get any useful logs from Dropbear, so that's why I'm writing here.
For debugging, I am launching Dropbear as follows:
GP# /bin/dropbear -E -F -r /etc/persistent/dropbear_rsa_host_key -r /etc/persistent/dropbear_ed25519_host_key -p 2222 -D /etc/persistent/.ssh
[22060] Jul 20 09:01:12 Not backgrounding
[22061] Jul 20 09:01:17 Child connection from 10.0.0.2:51793
[22061] Jul 20 09:01:20 Exit before auth from <10.0.0.2:51793>: (user 'ubnt', 0 fails): Exited normally
[22063] Jul 20 09:02:24 Child connection from 10.0.0.2:52082
[22063] Jul 20 09:02:36 Exit before auth from <10.0.0.2:52082>: (user 'ubnt', 0 fails): Exited normally
[22064] Jul 20 09:03:05 Child connection from 10.0.0.2:52258
[22064] Jul 20 09:08:05 Exit before auth from <10.0.0.2:52258>: (user 'ubnt', 0 fails): Timeout before auth
(The system launches Dropbear as /bin/dropbear -F -r /etc/persistent/dropbear_rsa_host_key -r /etc/persistent/dropbear_ed25519_host_key -p and /etc/persistent/.ssh is the root user's home directory)
The authorized_keys file is present, has the correct permissions, and content.
GP# ls -la /etc/persistent/.ssh
drwx------ 2 ubnt admin 0 Jul 18 11:33 .
drwxr-xr-x 4 ubnt admin 0 Jul 18 11:33 ..
-rw------- 1 ubnt admin 1753 Jul 20 08:58 authorized_keys
The issue persists even when the authorized_keys file is present in /etc/dropbear.
GP# cat /etc/persistent/.ssh/authorized_keys
ssh-rsa (key1) email1@domain.com
ssh-rsa (key2) email2@domain.com
ssh-ed25519 (key3) email3@domain.com
ssh-rsa (key4) email4@domain.com
ssh-ed25519 (key5) email5@domain.com
Note that the root user is renamed to ubnt in the system, and the root group is renamed to admin:
GP# id
uid=0(ubnt) gid=0(admin)
The SSH client tries all my keys (RSA and ED25519), the Dropbear server still reports it's accepting the publickey authentication, but none of the keys is accepted.
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug3: kex_input_ext_info: extension server-sig-algs
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,rsa-sha2-256,ssh-rsa>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug3: ssh_get_authentication_socket_path: path '/private/tmp/com.apple.launchd.kZak9wnXxV/Listeners'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /Users/user/.ssh/key4 RSA SHA256:FhyoAHTK5sTqV2s+Fw3KufRqRVI/h2SLg5hqrAhXN6o explicit agent
debug1: Will attempt key: /Users/user/.ssh/key5 ED25519 SHA256:/LrXZ+DgNSadYyBfyNiD3BknwdfQ7BFPBMEoT5eOZAQ agent
debug2: pubkey_prepare: done
debug1: Offering public key: /Users/user/.ssh/key4 RSA SHA256:FhyoAHTK5sTqV2s+Fw3KufRqRVI/h2SLg5hqrAhXN6o explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /Users/user/.ssh/key5 ED25519 SHA256:/LrXZ+DgNSadYyBfyNiD3BknwdfQ7BFPBMEoT5eOZAQ agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
ubnt@10.0.0.1's password:
How can I debug this further, please?
Is there something to check?
What types of keys are accepted in v2025.87?