Tag Archives: SSH

Adding a ED25519 SSH key to an ubiquiti edgemax router

Contrary to what I thought¹, it is possible to use an elliptic curve-based public SSH key on a Edgemax router, runnning a (recent?) EdgeOS.

Connect to the router over SSH and issue the following, to add your key to EdgeOS’s (/Vyatta’s) configuration:

configure
set system login user $your_router_user authentication public-keys user@host key "KEY-BODY-HERE"
set system login user $your_router_user authentication public-keys user@host type ssh-ed25519
commit
save

A few things to note:

  • user@host is whatever you want, it’s just the way one describes the key (technically, the config tree entry)
  • you’ll probably want to use YourUser@YourHost, YourHost as in: the host you are connecting from. That’s what is normally generated by OpenSSH as a comment at the end of public keys but…
  • …EdgeOS doesn’t understand any comment at the end of public SSH keyfiles. Even if they are a standard feature of OpenSSH keys.
  • In fact, it doesn’t recognise anything before the key itself either, so the usual ssh-rsa or ssh-ed25519 at the beginning of a keyfile make it choke.
  • So you must put nothing but the key body, in between quotes, when setting the config value system login user $your_router_user key
  • Finally, as you have probably guessed from the previous bullet points, setting the system login user $your_router_user type to ed_25519 is you tell EdgeOS what kind of key this is. Yes, this is the part that is at the beginning of a normal SSH keyfile.

This also explains why one hits the following error, when trying to paste when pasting the whole keyfile in the set system login etc. command.

Invalid public key character not base-64

Unfortunately, I was hoping that would explain why the loadkey command doesn’t accept the key from the keyfile, but… no. Even if you strip your public key file of the opening key type declaration (such as ssh-ed25519) and the ending comment (such as axel@master-switch), loadkey still complains and I get a:

Not a valid key file format (see man sshd) at /opt/vyatta/sbin/vyatta-load-user-key.pl line 96, <$in> line 1

Oh well.

  1. It’s not like EdgeOS’s public SSH key management is super user friendly.