SSH into Devices running old versions of Dropbear SSH (e.g. UniFi APs, and other routers)

Lachy
Lachy
Community Member
edited May 2022 in SSH

After a lot of investigation in a thread on slack over the past 2 days, I discovered that 1Password's ssh-agent doesn't support logging into UniFi Access Points, which are running an old version of Dropbear SSH. This is an alternative SSH implementation that's commonly used on low power devices like routers and access points.

I'm just posting this here for anyone else who may encounter this issue trying to log into a similar device.

If you also have trouble logging into a device running Dropbear, check the version:

# ssh -V
Dropbear v2017.75

That version of Dropbear only supports ssh-rsa signatures and not rsa-sha2-256 or rsa-sha2-512. Support for these signature algorithms were added in version 2020.79.

Routers with OpenWRT firmware installed on them also run Dropbear. If you have this, this may be a problem for you depending on when you most recently updated the firmware.

The ssh logs when this occurs will look something like this:

$ ssh -vvv 10.0.1.10
...
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:<redacted fingerprint>
sign_and_send_pubkey: signing failed for RSA "" from agent: agent refused operation
...

1Password's logs show this error:

[1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:306] Error handling sign request: Key(expected RSA signature algorithm, but found a Ed25519 one)

If you encounter this problem, upgrade your device firmware if possible, or complain to the vendor that their devices are running an out of date SSH server.

Thanks to @K.J._1P for helping to figure this out with me in slack.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • XIII
    XIII
    Community Member

    My ASUS router runs Asuswrt-Merlin (third-party) firmware that also uses Dropbear.

    Luckily it's more up-to-date:

    ASUSWRT-Merlin RT-AC86U 386.4_0 Sat Jan  1 18:43:23 UTC 2022
    ➜ ssh -V
    Dropbear v2020.81
    

    I can successfully log in to that router using the 1Password SSH Agent :)

  • Lachy
    Lachy
    Community Member

    OpenSSH 8.8 has also disabled sha-rsa by default, so anyone running that client would also have difficulty using ssh keys with these old ssh servers.

    https://www.openssh.com/txt/release-8.8

    However, they do apparently provide a way to explicitly re-enable it for old hosts according to those release notes.

    Host old-host
        HostkeyAlgorithms +ssh-rsa
        PubkeyAcceptedAlgorithms +ssh-rsa
    

    This doesn't work with the 1Password ssh-agent.

  • bramd
    bramd
    Community Member

    I have the same issue with a few Mikrotik routers, even on their latest RouterOS 7.x. I use the ssh client in WSL (Windows subsystem for Linux) and as a workaround i unset SSH_AUTH_SOCK and load the key from the filesystem using the -i to ssh.

  • compunction
    compunction
    Community Member
    edited March 2022

    I have a similar issue, but with openssh on UniFi Cloud Key

    Server: OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u 20 Dec 2019
    Error: sign_and_send_pubkey: signing failed for RSA "" from agent: agent refused operation

    Working linux box is Server: OpenSSH_8.4p1 Ubuntu-6ubuntu2.1, OpenSSL 1.1.1l 24 Aug 2021

    Client is: OpenSSH_8.6p1, LibreSSL 3.3.5

    Key works fine if I do a -i in and unset SSH_AUTH_SOCK

  • compunction
    compunction
    Community Member

    I found this error in the logs:
    ERROR 2022-03-24T15:24:37.782 tokio-runtime-worker(ThreadId(3)) [1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:377] Error handling sign request: Key(signing with ssh-rsa is unsupported; SHA-1 may be insecure)
    ERROR 2022-03-24T15:24:37.798 tokio-runtime-worker(ThreadId(7)) [1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:377] Error handling sign request: Key(signing with ssh-rsa is unsupported; SHA-1 may be insecure)

    But when I tried to add these to my config file it got an error:
    Host old-host
    HostkeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa

    That and this seems like the op-ssh-agent does not support the legacy key signing.

  • Correct. We currently don't support ssh-rsa / SHA-1 signatures, but because of the compatibility issues this imposes, we're working on adding support for it anyway.

  • compunction
    compunction
    Community Member
    edited March 2022

    @floris_1P I like the idea of dropping insecure protocols and if at some day unifi updates SSHD I would prefer not to have what I assume is a potential Man in the middle vector (of course I only ssh into these devices on network, so lower risk). Maybe a configuration checkbox for legacy protocols on the developer config menu? If it could be done by key that would be even better so I could enable just for the key I use for Unifi. Just thinking not sure what is possible ;-)

  • @compunction You can already opt out of ssh-rsa through your SSH config:

    HostkeyAlgorithms -ssh-rsa
    PubkeyAcceptedAlgorithms -ssh-rsa
    
  • compunction
    compunction
    Community Member

    @floris_1P If I do that in my client config I get:

    debug1: Offering public key: removed RSA SHA256:+Q4xSw+GPZrn+v3tMjfTrOqw2Zsiy+ChL/YajpdFmuc agent
    debug1: send_pubkey_test: no mutual signature algorithm
    debug1: Offering public key: removed RSA SHA256:IIP+sCXT7oTh4Ua8AobOPCNoJklDC55UfmHvtyPYSeM agent
    debug1: send_pubkey_test: no mutual signature algorithm

    If I reconfigure the SSHD, I would expect it to get broken on the next firmware update.

  • floris_1P
    edited March 2022

    @compunction Yes, sorry for the confusion, but all I meant to say that if we now add ssh-rsa support to the agent, you would be free to opt out of that using that snippet I posted. But yes, if the server only supports ssh-rsa, then it is expected that opting out results in a broken auth flow.

This discussion has been closed.