Difference between revisions of "OpenWRT: ssh versi lama"
Onnowpurbo (talk | contribs) (Created page with " ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.0.4") |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.0.4 | ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.0.4 | ||
| + | |||
| + | |||
| + | Ini **error klasik SSH modern vs OpenWRT lama** 👍 | ||
| + | Bukan salah jaringan—**algoritma kriptografinya tidak cocok**. | ||
| + | |||
| + | --- | ||
| + | |||
| + | ## 🔍 Akar Masalah | ||
| + | |||
| + | Pesan error: | ||
| + | |||
| + | ``` | ||
| + | Unable to negotiate with 192.168.1.1 port 22: | ||
| + | no matching host key type found. | ||
| + | Their offer: ssh-rsa | ||
| + | ``` | ||
| + | |||
| + | Artinya: | ||
| + | |||
| + | * **OpenWRT** hanya menawarkan *host key* lama: **`ssh-rsa`** | ||
| + | * **OpenSSH modern (Ubuntu 22.04 / 24.04)** **menolak `ssh-rsa`** karena: | ||
| + | |||
| + | * SHA-1 dianggap **tidak aman** | ||
| + | * Dinonaktifkan *by default* sejak OpenSSH 8.8+ | ||
| + | |||
| + | 👉 Jadi **SSH client menolak handshake**, bukan server down. | ||
| + | |||
| + | --- | ||
| + | |||
| + | ## ✅ Solusi 1 (Paling Cepat & Aman Secara Praktis) | ||
| + | |||
| + | Aktifkan `ssh-rsa` **hanya untuk host itu saja** | ||
| + | |||
| + | ```bash | ||
| + | ssh -o HostKeyAlgorithms=+ssh-rsa \ | ||
| + | -o PubkeyAcceptedAlgorithms=+ssh-rsa \ | ||
| + | root@192.168.1.1 | ||
| + | ``` | ||
| + | |||
| + | ✔ Cocok untuk: | ||
| + | |||
| + | * Lab | ||
| + | * OpenWRT lama | ||
| + | * Akses darurat | ||
| + | |||
| + | --- | ||
| + | |||
| + | ## ✅ Solusi 2 (Lebih Rapi, Disarankan untuk Lab) | ||
| + | |||
| + | Tambahkan konfigurasi khusus di `~/.ssh/config` | ||
| + | |||
| + | ```bash | ||
| + | nano ~/.ssh/config | ||
| + | ``` | ||
| + | |||
| + | Isi: | ||
| + | |||
| + | ```ini | ||
| + | Host openwrt | ||
| + | HostName 192.168.1.1 | ||
| + | User root | ||
| + | HostKeyAlgorithms +ssh-rsa | ||
| + | PubkeyAcceptedAlgorithms +ssh-rsa | ||
| + | ``` | ||
| + | |||
| + | Lalu login cukup: | ||
| + | |||
| + | ```bash | ||
| + | ssh openwrt | ||
| + | ``` | ||
| + | |||
| + | ✔ Aman karena **hanya berlaku untuk OpenWRT itu** | ||
| + | ✔ Tidak menurunkan keamanan global | ||
| + | |||
| + | --- | ||
| + | |||
| + | ## ⚠️ Solusi 3 (Tidak Disarankan – Global) | ||
| + | |||
| + | Edit `/etc/ssh/ssh_config` | ||
| + | |||
| + | ```bash | ||
| + | sudo nano /etc/ssh/ssh_config | ||
| + | ``` | ||
| + | |||
| + | Tambahkan: | ||
| + | |||
| + | ```ini | ||
| + | Host * | ||
| + | HostKeyAlgorithms +ssh-rsa | ||
| + | PubkeyAcceptedAlgorithms +ssh-rsa | ||
| + | ``` | ||
| + | |||
| + | ❌ **Tidak disarankan** | ||
| + | |||
| + | * Melemahkan keamanan semua SSH | ||
| + | * Melanggar best practice security | ||
| + | |||
| + | --- | ||
| + | |||
| + | ## ⭐ Solusi TERBAIK (Jika Bisa Update OpenWRT) | ||
| + | |||
| + | Jika OpenWRT versi cukup baru (≥ 22.x): | ||
| + | |||
| + | ### 1️⃣ Install host key modern | ||
| + | |||
| + | ```bash | ||
| + | opkg update | ||
| + | opkg install openssh-keygen | ||
| + | ``` | ||
| + | |||
| + | ### 2️⃣ Generate key baru | ||
| + | |||
| + | ```bash | ||
| + | ssh-keygen -A | ||
| + | ``` | ||
| + | |||
| + | Pastikan ada: | ||
| + | |||
| + | * `ssh-ed25519` | ||
| + | * `ecdsa-sha2-nistp256` | ||
| + | |||
| + | ### 3️⃣ Restart SSH | ||
| + | |||
| + | ```bash | ||
| + | /etc/init.d/sshd restart | ||
| + | ``` | ||
| + | |||
| + | ✔ Setelah itu **SSH tanpa opsi tambahan** | ||
| + | ✔ Paling aman & future-proof | ||
| + | |||
| + | --- | ||
| + | |||
| + | ## 🧠 Ringkasan Cepat | ||
| + | |||
| + | | Kondisi | Solusi | | ||
| + | | -------------- | --------------------------------------- | | ||
| + | | Butuh cepat | `ssh -o HostKeyAlgorithms=+ssh-rsa ...` | | ||
| + | | Lab / edukasi | `~/.ssh/config` (disarankan) | | ||
| + | | Produksi | **Upgrade OpenWRT + regenerate key** | | ||
| + | | Jangan lakukan | Enable ssh-rsa global | | ||
| + | |||
| + | --- | ||
| + | |||
| + | ## 📌 Catatan Penting (Konteks Sistem Operasi) | ||
| + | |||
| + | > **Ini contoh nyata evolusi OS security** | ||
| + | > Kernel & userland boleh sama-sama Linux, tapi: | ||
| + | > | ||
| + | > * **crypto policy berubah** | ||
| + | > * **default security makin ketat** | ||
| + | > * OS lama tetap jalan → tapi harus *di-bridge* | ||
| + | |||
| + | Ini **materi emas** untuk: | ||
| + | |||
| + | * *Kernel vs userland* | ||
| + | * *Backward compatibility* | ||
| + | * *Security hardening* | ||
| + | |||
| + | Kalau mau, saya bisa: | ||
| + | |||
| + | * Jadikan ini **studi kasus di modul OpenWRT / Networking Stack** | ||
| + | * Buat **praktikum troubleshooting SSH modern** | ||
| + | * Tambahkan **diagram handshake SSH lama vs baru** | ||
| + | |||
| + | Tinggal bilang 😉 | ||
Latest revision as of 20:08, 25 January 2026
ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.0.4
Ini **error klasik SSH modern vs OpenWRT lama** 👍
Bukan salah jaringan—**algoritma kriptografinya tidak cocok**.
---
- 🔍 Akar Masalah
Pesan error:
``` Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-rsa ```
Artinya:
- **OpenWRT** hanya menawarkan *host key* lama: **`ssh-rsa`**
- **OpenSSH modern (Ubuntu 22.04 / 24.04)** **menolak `ssh-rsa`** karena:
* SHA-1 dianggap **tidak aman** * Dinonaktifkan *by default* sejak OpenSSH 8.8+
👉 Jadi **SSH client menolak handshake**, bukan server down.
---
- ✅ Solusi 1 (Paling Cepat & Aman Secara Praktis)
Aktifkan `ssh-rsa` **hanya untuk host itu saja**
```bash ssh -o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedAlgorithms=+ssh-rsa \ root@192.168.1.1
```
✔ Cocok untuk:
- Lab
- OpenWRT lama
- Akses darurat
---
- ✅ Solusi 2 (Lebih Rapi, Disarankan untuk Lab)
Tambahkan konfigurasi khusus di `~/.ssh/config`
```bash nano ~/.ssh/config ```
Isi:
```ini Host openwrt
HostName 192.168.1.1 User root HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
```
Lalu login cukup:
```bash ssh openwrt ```
✔ Aman karena **hanya berlaku untuk OpenWRT itu** ✔ Tidak menurunkan keamanan global
---
- ⚠️ Solusi 3 (Tidak Disarankan – Global)
Edit `/etc/ssh/ssh_config`
```bash sudo nano /etc/ssh/ssh_config ```
Tambahkan:
```ini Host *
HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
```
❌ **Tidak disarankan**
- Melemahkan keamanan semua SSH
- Melanggar best practice security
---
- ⭐ Solusi TERBAIK (Jika Bisa Update OpenWRT)
Jika OpenWRT versi cukup baru (≥ 22.x):
- 1️⃣ Install host key modern
```bash opkg update opkg install openssh-keygen ```
- 2️⃣ Generate key baru
```bash ssh-keygen -A ```
Pastikan ada:
- `ssh-ed25519`
- `ecdsa-sha2-nistp256`
- 3️⃣ Restart SSH
```bash /etc/init.d/sshd restart ```
✔ Setelah itu **SSH tanpa opsi tambahan** ✔ Paling aman & future-proof
---
- 🧠 Ringkasan Cepat
| Kondisi | Solusi | | -------------- | --------------------------------------- | | Butuh cepat | `ssh -o HostKeyAlgorithms=+ssh-rsa ...` | | Lab / edukasi | `~/.ssh/config` (disarankan) | | Produksi | **Upgrade OpenWRT + regenerate key** | | Jangan lakukan | Enable ssh-rsa global |
---
- 📌 Catatan Penting (Konteks Sistem Operasi)
> **Ini contoh nyata evolusi OS security** > Kernel & userland boleh sama-sama Linux, tapi: > > * **crypto policy berubah** > * **default security makin ketat** > * OS lama tetap jalan → tapi harus *di-bridge*
Ini **materi emas** untuk:
- *Kernel vs userland*
- *Backward compatibility*
- *Security hardening*
Kalau mau, saya bisa:
- Jadikan ini **studi kasus di modul OpenWRT / Networking Stack**
- Buat **praktikum troubleshooting SSH modern**
- Tambahkan **diagram handshake SSH lama vs baru**
Tinggal bilang 😉