I have a CCR which my automatic backup user has stopped being able to ssh in

The router sends syslog to a fairly local server, there's nothing in the log to show a problem before the

system,error,critical login failure for user .... via ssh

started appearing every half hour or so, exactly as I'd expect (the usual stuff like interface drops on occasion but nothing out of the ordinary)

SSHing to the same IP, from a p2p link gievs me a new host key every single time

debug1: Server host key: ssh-rsa SHA256:J3n2Q9fLXyhmg9mkAfuWsQL/hPN9LJaRmK9VBuRXKlI
debug1: Server host key: ssh-rsa SHA256:ZRY+Bzp+VAzJogCvqekUflK7rzjQ5T2OOh6yP9Sa74E
debug1: Server host key: ssh-rsa SHA256:Lq2zsQj52W4XJbyNhwTTXXk10o9WcSMXMj1l6PJmRJY
debug1: Server host key: ssh-rsa SHA256:uiiQvqGU13KiDOqD+oxtNNZzea3qOeRPFIw/y8os7kk

If I bust through the intercept, my ssh client key for my own user doesn't work, but logging in as admin does -- with no password (there was one set before)

The only difference since my last backup (export terse) and the current config is the specific backup group I created

/user group add name=backup policy=ssh,read,sensitive,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!api,!romon,!dude,!tikapp

Is missing.

/user print only shows up the users.

The only incoming traffic I allow from the internet is SSTP and ICMP (as well as established/related stuff that's natted)

The router hasn't been rebooted since Dec 31st when we moved it from one bay to another - but I was sshing in well after that (indeed I changed the packet capture config on Jan 19th)

Current version is
board-name: CCR1036-12G-4S
version: 6.47.1 (stable)
firmware-type: tilegx

factory-firmware: 3.41
current-firmware: 6.47.1
upgrade-firmware: 6.47.1

And CPU is fine
cpu-load: 4%

No dropped packets -- I run a continuous ping 24/7, and haven't had a single drop since it booted at 16:02:29 GMT no the 31st.

Now it feels like this is a bug, and an upgrade of software and firmware will make things right, but I'm concerned there may be something security related going on. There's no unusual traffic on any ports, nor any signs of it on traffic graphs.

Has anyone else seen this problem before?

Obvious question...did you compare current config to previous versions in config archive?

Yes, there's nothing in the "export terse" that's different to what it should be.

Be so much easier if I could physically go and prod the router (and replace it with one off the shelf)

Bit the bullet and decided to upgrade+reboot

Couldn't copy files on to router, or download them.

Rebooted, and it came back (phew), with all my old user accounts, all fixed.

Perhaps disk was in read only mode or something.

Filesystem errors and corruption can trigger very strange behaviour in general.