Skip to content

Instantly share code, notes, and snippets.

@purp

purp/EdgeOS_SSH_Tricks.md

Last active January 28, 2024 20:21
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save purp/05c4a82cc9372667d573172b4a4b1198 to your computer and use it in GitHub Desktop.
Save purp/05c4a82cc9372667d573172b4a4b1198 to your computer and use it in GitHub Desktop.
Download ZIP
Adding SSH keys to Ubiquiti EdgeRouter X / EdgeOS
Raw
EdgeOS_SSH_Tricks.md

Adding SSH keys to EdgeOS-based devices like Ubiquiti Edge Router X

Maybe, like me, you're tired of typing a password and prefer to disable password auth for ssh anyway. Maybe, like me, you want to point VS Code at your Edge Router and be able to read configs and things. Maybe, like me, you'll discover that VS Code's Remote-SSH extension doesn't support the ERX architecture and be mildy bummed, but still happy to have passwordless SSH (via ssh-agent) and know that no password will get some rando into your ERX.

Here's how.

Cribbed from the VyOS Login/User Management docs

Configuring SSH for less typing

Add this to your local .ssh config to make your life easier:

Host erx
  HostName YOUR_EDGE_ROUTER_X_IP
  User YOUR_ERX_ADMIN_USERNAME

Adding keys

Now let's add your ssh public key:

> cat ~/.ssh/id_*pub
ssh-ed25519 PURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR kitten
# Pick your fave key
> ssh erx
Enter password: # for the very last time!
foobie@ubnt:~$ configure
[edit]
foobie@ubnt# set system login user foobie authentication public-keys kitten type ssh-ed25519
[edit]
foobie@ubnt# set system login user foobie authentication public-keys kitten key PURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
[edit]
foobie@ubnt# commit
[edit]
foobie@ubnt# save
Saving configuration to '/config/config.boot'...
Done
[edit]
foobie@ubnt# cat .ssh/authorized_keys
# Automatically generated by Vyatta configuration
# Do not edit, all changes will be lost
ssh-ed25519 PURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR kitten
[edit]
foobie@ubnt# exit
exit
foobie@ubnt:~$ exit
logout
> ssh erx
foobie@ubnt:~$ # SUCCESS!

Disabling password-based ssh.

Cribbed from the VyOS ssh docs.

Note: you should be sure you have a backup of the config with password auth enabled before doing this, else it's a full factory reset if you lose all the keys that let you log in.

> ssh erx
# No password to type ... feels so good!
foobie@ubnt:~$ configure
[edit]
foobie@ubnt# show service ssh
 port 22
 protocol-version v2
[edit]
foobie@ubnt# set service ssh disable-password-authentication
[edit]
admin@ubnt# show service ssh
 disable-password-authentication
 port 22
 protocol-version v2
[edit]
foobie@ubnt# commit
[edit]
foobie@ubnt# save
Saving configuration to '/config/config.boot'...
Done
[edit]
foobie@ubnt# exit
exit
foobie@ubnt:~$ exit
logout

I recommend you test that this is properly denying password logins by trying to log in as your admin user from an account with no known/authorized ssh key.

@illuzn
Copy link

illuzn commented Dec 19, 2023

Unfortunately, for me (EdgeRouter 12 Firmware v2.0.9-hotfix.7) it does not let me create a new user without a password (explicitly with the warning user must have password set).

However, I am able to set an authentication certificate for ssh login and disable password authentication for ssh (so still time saved). GUI login is still enabled and via password authentication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment