Re: Authenticating to dropbear using ecdsa-sha2-nistp256
On 2022-11-11 11:50 am, Rogan Dawes wrote: > I was under the impression that the ssh protocol included a handshake step > where supported algorithms were exchanged, and keys that do not match are > eliminated? For public key auth the client sends each public key it has to offer, the server sends a "key OK" message if it's accepted, and then the client sends its signature. So Dropbear on openwrt gets the ecdsa key offer and sends a failure response since it doesn't accept that ecdsa key type. Matt
Re: Authenticating to dropbear using ecdsa-sha2-nistp256
On Fri, 11 Nov 2022 at 03:20, Matt Johnston wrote: > On Tue, Nov 08, 2022 at 04:57:40PM +0200, Rogan Dawes wrote: > > The targets that I have available are OpenWrt 21.02.1 running Dropbear > > v2020.81 and 22.03.0 running Dropbear v2022.82. > > Ah, OpenWRT doesn't include ecdsa support (for size > reasons) - only remembered that now. You'll have to use rsa > or ed25519 instead if possible. > > It's possible to rebuild their package with the DROPBEAR_ECC > openwrt config option. > > Cheers, > Matt I was under the impression that the ssh protocol included a handshake step where supported algorithms were exchanged, and keys that do not match are eliminated? I’ll check what that shows in the logs. Thanks Rogan >
Re: Authenticating to dropbear using ecdsa-sha2-nistp256
On Tue, Nov 08, 2022 at 04:57:40PM +0200, Rogan Dawes wrote: > I have created an SSH private key in my M1 Mac's Secure Enclave, and am > using it to SSH to various targets. Those using OpenSSH work fine, and I am > prompted to unlock the SE. However, those using dropbear do not work, > giving me the following result on the client: > > debug1: Offering public key: ecdsa-sha2-nistp256 ECDSA SHA256:XXX agent > The targets that I have available are OpenWrt 21.02.1 running Dropbear > v2020.81 and 22.03.0 running Dropbear v2022.82. Ah, OpenWRT doesn't include ecdsa support (for size reasons) - only remembered that now. You'll have to use rsa or ed25519 instead if possible. It's possible to rebuild their package with the DROPBEAR_ECC openwrt config option. Cheers, Matt
