How to enable SSH auto login on Ubiquiti EdgeRouter X
SSH key authentication not only provides a more convenient way to logging into your EdgeRouter X, but is also more secure because the private key replaces the need of a password and thus is typically more difficult to brute force.
The below steps will show how to generate a SSH key, add it to the router, and then disable password authentication so that only the key-pair can be used to login.
How to setup SSH based authentication on EdgeRouter X
Better secure your Ubiquiti EdgeRouter X using SSH login certificates!
- Open PuTTYGen.exe and click on Generate to create the public and private key pair.
- Click on “Save public key” naming it edgerouter.pub then click on “Save private key” naming it edgerouter-pri.ppk
- Open PuTTY and log into your EdgeRouter X using your username and password and then type:
configure
- Create the public key file by typing:
vi edgerouter.pub
- Enter VI Insert mode by pressing i and paste your public key from the PuTTYGen “public key for pasting into OpenSSH authorized_keys file” field and then press ESC and ZZ to exit insert mode and save and exit VI.
- Load your key file into your configuration by typing the following:
loadkey ACCOUNT_NAME edgerouter.pub
- Lets disable password authentication so that only the RSA-Key pair is allowed to log into the EdgeRouter by typing:
set service ssh disable-password-authentication
- Now lets commit and save our work.
Configure PuTTY to use the SSH certificate
- Open PuTTY and enter the host IP and port number as you normally would.
- Next expand SSH, then click on Auth and click the Browse button and enter the path of the edgerouter-pri.ppk file.
- When you click on “Open” your SSH session will no longer ask for your password and instead auto login using the SSH private certificate key!
Re-enable password authentication on the EdgeRouter X
If for some reason you no longer want to use the SSH certificate and go back to using passwords to login you can do so very easily by following the below.
- Login in SSH using PuTTY and type:
configure - Then type:
delete service ssh disable-password-authentication
- Then type commit , save , then exit
so following “exactly” as shown gets all muddied up at Step: “vi edgerouter.pub” I am logged into my ERX via Putty successfully, BUT then it goes south….. Once I do that the putty app will not “esc zz” or save. The console will not take any commands. WTF. where is the mistyped info? referring to your instructions. I am literally reproducing steps exactly. not working, noWayJose
If I had a dollar for every time I heard someone couldn’t exit out of VI I would be a rich man. haha
If you’re pressing the ESC key and then typing “zz” then you’re doing it wrong. As it’s mentioned in the above post it’s “ZZ” (take super special note of the CAPS). In VI zz and ZZ does NOT mean the same. ;-)
-Michael
Hi Mike,
I’ve added the authentication method to my laptop and disabled username/login, now I can easily connect. However, if I wanted to access my router from another computer, it would require me to copy that secret key over to the new computer?
Lastly, if my laptop dies, how would I regain access to the router again? Would this require a physical connection into eth0 to regain control?
Thanks!
Bruce,
Yes you need to store your private key in a secure location and I would highly suggest backing it up. I like to keep all my SSH keys in an encrypted container that gets backed up on my NAS and to Backblaze.
-Michael
10x much