Edgerouter X - SSH Auto Login

Like my other Linux systems, I prefer SSH for its security and more so for its certificate based authentication. It makes the whole CLI experience more enjoyable. I did it to my RT-AC56U. That's the first thing I tried to figure out on ER-X. Consider this a mini How-To.

EdgeOS CLI: a couple of tidbits in the picture we can talk about on another day

Unlike vanilla Linux systems or even RT-AC56U, EdgeOS is wrapped under a thin layer of Vyatta CLI. My initial reaction inside was like all limbs being tied up. Something straight forward for me becomes a bit convoluted in Vyatta. After a few days' use, that changed. Vyatta CLI similar to CISCO's IOS and Juniper's JunOS I was told grows on me. I like it better than MikroTik's CLI after the same first few hours of use. Not saying one is better than the other but personal preference/bias towards Vyatta way. We can dig deeper into Vyatta layer on another time.

Set up SSH certificate authentication

First copy your public key file to ER-X. I use:

themis:/ $ scp ~/.ssh/id_rsa.pub [email protected]:/home/ubnt  

id_rsa.pub is my public SSH key stored on Mac. Next go in Configure mode and set the key for user "ubnt" on ER-X:

[email protected]~$ configure  
[edit]
[email protected]~$ loadkey ubnt /home/ubnt/id_rsa.pub  
Done  
[edit]
[email protected]~$ commit  

To check the public key set properly for user ubnt:

[email protected]~$ show sytem login user ubnt  
authentication {  
     encrypted-password $6$AW56Hgf3b0XLya.m$8iFAjFM5hb4s68R3ju4FDJuiLeuHyjwywyMx7zAuBJoEKAsjljwBFUiBSEKe/XCFynq2v0.D9srKiqtUsyddYC1
     public-keys [email protected] {
         key AAAAB3NzaC1yc2EAAAADAQABAAABAQCxd/Zl+HPj/FucEV2VqwNNyQMzoEEkooouPAlE16FND+Rityo/WA/gevaP2KwAO+f39zb0lFGQhLiPKS7we7a5VhA78rB0jYu22sKnwPZtqmhUHD+iP8MyGDjXWvQzGKFZgEPwCINmYlPco4wXYVU77Iy6HQpxzilyuP+8HqqQ+XFU/haUUFAslpJcjf79gEbwOmAuJ+kaEaQpyQCCn1bs0k/39EEx1rydg9PI/ya9htO1kJ0M4TNio60s98cR3w9JwJON95mYRPTnvqJ/IBoq3ejs0C3jRZoV58UTEN21XZK+9Xu+Rr/JoJE0E8Y80pFN52mpR7bhMvZ/j9LMl9vp
         type ssh-rsa
}

Looks good. Still in Configure mode. Let's save the config and exit Configure mode.

[email protected]~$ save  
[email protected]~$ exit  

Now SSH auto login shall persist across both reboots and firmware upgrades. Feel free to delete /home/ubnt/id_isa.pub. It's no longer required.

Author

Stephen Yip

Something about you know. Come and share.

comments powered by Disqus