OpenWRT: ssh versi lama

From OnnoWiki
Revision as of 20:08, 25 January 2026 by Onnowpurbo (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search 
 ssh -oHostKeyAlgorithms=+ssh-rsa root@192.168.0.4


Ini **error klasik SSH modern vs OpenWRT lama** 👍 Bukan salah jaringan—**algoritma kriptografinya tidak cocok**.

---

    1. 🔍 Akar Masalah

Pesan error:

``` Unable to negotiate with 192.168.1.1 port 22: no matching host key type found. Their offer: ssh-rsa ```

Artinya:

  • **OpenWRT** hanya menawarkan *host key* lama: **`ssh-rsa`**
  • **OpenSSH modern (Ubuntu 22.04 / 24.04)** **menolak `ssh-rsa`** karena:
 * SHA-1 dianggap **tidak aman**
 * Dinonaktifkan *by default* sejak OpenSSH 8.8+

👉 Jadi **SSH client menolak handshake**, bukan server down.

---

    1. ✅ Solusi 1 (Paling Cepat & Aman Secara Praktis)

Aktifkan `ssh-rsa` **hanya untuk host itu saja**

```bash ssh -o HostKeyAlgorithms=+ssh-rsa \ 

   -o PubkeyAcceptedAlgorithms=+ssh-rsa \
   root@192.168.1.1

```

✔ Cocok untuk:

  • Lab
  • OpenWRT lama
  • Akses darurat

---

    1. ✅ Solusi 2 (Lebih Rapi, Disarankan untuk Lab)

Tambahkan konfigurasi khusus di `~/.ssh/config`

```bash nano ~/.ssh/config ```

Isi:

```ini Host openwrt 

   HostName 192.168.1.1
   User root
   HostKeyAlgorithms +ssh-rsa
   PubkeyAcceptedAlgorithms +ssh-rsa

```

Lalu login cukup:

```bash ssh openwrt ```

✔ Aman karena **hanya berlaku untuk OpenWRT itu** ✔ Tidak menurunkan keamanan global

---

    1. ⚠️ Solusi 3 (Tidak Disarankan – Global)

Edit `/etc/ssh/ssh_config`

```bash sudo nano /etc/ssh/ssh_config ```

Tambahkan:

```ini Host * 

   HostKeyAlgorithms +ssh-rsa
   PubkeyAcceptedAlgorithms +ssh-rsa

```

❌ **Tidak disarankan**

  • Melemahkan keamanan semua SSH
  • Melanggar best practice security

---

    1. ⭐ Solusi TERBAIK (Jika Bisa Update OpenWRT)

Jika OpenWRT versi cukup baru (≥ 22.x):

      1. 1️⃣ Install host key modern

```bash opkg update opkg install openssh-keygen ```

      1. 2️⃣ Generate key baru

```bash ssh-keygen -A ```

Pastikan ada:

  • `ssh-ed25519`
  • `ecdsa-sha2-nistp256`
      1. 3️⃣ Restart SSH

```bash /etc/init.d/sshd restart ```

✔ Setelah itu **SSH tanpa opsi tambahan** ✔ Paling aman & future-proof

---

    1. 🧠 Ringkasan Cepat

| Kondisi | Solusi | | -------------- | --------------------------------------- | | Butuh cepat | `ssh -o HostKeyAlgorithms=+ssh-rsa ...` | | Lab / edukasi | `~/.ssh/config` (disarankan) | | Produksi | **Upgrade OpenWRT + regenerate key** | | Jangan lakukan | Enable ssh-rsa global |

---

    1. 📌 Catatan Penting (Konteks Sistem Operasi)

> **Ini contoh nyata evolusi OS security** > Kernel & userland boleh sama-sama Linux, tapi: > > * **crypto policy berubah** > * **default security makin ketat** > * OS lama tetap jalan → tapi harus *di-bridge*

Ini **materi emas** untuk:

  • *Kernel vs userland*
  • *Backward compatibility*
  • *Security hardening*

Kalau mau, saya bisa:

  • Jadikan ini **studi kasus di modul OpenWRT / Networking Stack**
  • Buat **praktikum troubleshooting SSH modern**
  • Tambahkan **diagram handshake SSH lama vs baru**

Tinggal bilang 😉

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=OpenWRT:_ssh_versi_lama&oldid=73270"