[SOLVED] DropbearSSH with key authentication to OpenSSH server

kzo81 · 02-15-2024, 01:51 AM

Hi Folks,

I'd like to rsync over ssh with key authentication, however it always ask for the password, if it was for the first time, it would be ok, but whenever the automatiion sycript invoked with systemD, a password promt comes up in the background. It looks like the dropbear client doesnt use the host_key file.

This is how I created the key:

Code:

dropbearkey -t rsa -f /usr/bin/dropbear_rsa_host_key

This is how I extracted the pubclic key:

Code:

dropbearkey -y -f /usr/bin/dropbear_rsa_host_key

Code:

Public key portion is:
ssh-rsa AAAAB3.......AAAAAAA root@G1_01
Fingerprint: sha1!! 5f:97:df:5a:c5:b7:8c:66:61:3e

And I copied the green part to the OpenSSH server's user's .ssh/authorized_keys file

Code:

rsync --remove-source-files -aze ssh -p $PORT -i /usr/bin/dropbear_rsa_host_key $SRC $USER@$IP:test

Could you please tell me what am I doing wrong? It was working for weeks, but I dont remember how I got it working, the bash history has been overriten :-( I might have used dropbearconvert...

This is the output of systemD:

Code:

# systemctl status syncroniser.service
● syncroniser.service - Remote Syncroniser
   Loaded: loaded (/etc/systemd/system/syncroniser.service; enabled)
   Active: failed (Result: start-limit) since Thu 2024-02-15 14:06:30 CET; 11s ago
  Process: 289 ExecStart=/usr/bin/syncroniser (code=exited, status=203/EXEC)
 Main PID: 289 (code=exited, status=203/EXEC)

This is the script:

Code:

!#/bin/sh
set -x

MAC=$(ip a | grep ether | head -1 | awk '{print $2}' | sed 's/:/-/g')
CONFIG="/usr/bin/syncroniser.cfg"
KEY="/usr/bin/dropbear_rsa_host_key"
SRC="/media/sdmmc/mmcblk0p1/DATA/"
DST="$MAC"
FREQ=60

while true
    do
        if test -f "$CONFIG"; then
            . "$CONFIG"
        fi

        rsync --remove-source-files -azve "ssh -i $KEY -p $REMOTE_PORT" $SRC $REMOTE_USER@$REMOTE_IP:$DST

        sleep $FREQ

    done

This is the service file:

Code:

[Unit]
Description=Remote Syncroniser
After=network.target

[Service]
Type=simple
Restart=always
StandardOutput=append:/var/log/syncroniser.log
StandardError=append:/var/log/syncroniser_error.log
User=root
ExecStart=/usr/bin/syncroniser

[Install]
WantedBy=multi-user.target#

If I run the script by hand it will prompt for password, it seems like that the keyfile is ommited...

Code:

sh -p PORT -i /usr/bin/dropbear_rsa_host_key USER@IP
USER@IP's password:

kzo81 · 02-15-2024, 08:38 AM

In the meantime, I tried with the previously worked server, and I got a new error message:

ssh: Connection to USER@IP:PORT exited:

ecdsa-sha2-nistp256 host key mismatch for IP !
Fingerprint is sha1!! 3f:b1:ff:c0:12:07:b4:52:6e:e2:10:8c:91:13:8a:fa:18:84:64:09
Expected
rsync: connection unexpectedly closed (0 bytes received so far) [sender]

If I remove the known_host file , it still asks for password.

On the OpenSSH server there is aninteresting message:
userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

This might solve:
# OpenSSH server etc/ssh/sshd_config
PublicAcceptedAlgorithms +ssh-rsa

michaelk · 02-15-2024, 12:06 PM

I would probably use cron or a systemd timer instead of using a systemd service file. You also might have a problems if files are open while being copied.

ssh is the OpenSSH client and it appears you also have to convert the private key from dropbear format to openssh format using the dropbearconvert utility for ssh to use keys.

Quote:

rsync --remove-source-files -aze ssh -p $PORT -i /usr/bin/dropbear_rsa_host_key $SRC $USER@$IP:test

You probaby just copy/pasted the wrong command but the above does not copy the public key to the authorized_keys file.