Just noticed on a couple of routers running v5.0rc5 that once an SSH key is imported for the user admin, you can no longer SSH into the router via admin and authenticate via password. I can SSH in via key authentication without an issue. If I remove the SSH keys, I can once again login via username and password.

Bugs?

Eric

No, that's a 'feature'.

Seriously this has changed in v5? We import ssh keys for our backend systems to be able to automate certain tasks but if I have a tech in the field, I'd like them to be able to login via username/password directly as well.

Can this behavior be changed? I assume not...

Eric

this was introduced as a security measure to not to allow week protection if something more "potent" is available at hand.

In this case certificate/key always beats password.

As a good solution i can suggest you to use user-manager (or any other RADIUS server) and set router authentication to be done by RADIUS. That way, you set up in your RADIUS - what router what user can log in and username will be available on all the routers.

We have ssh firewalled off to anything but our management IP's so for us, this really isn't necessary. Is there any consideration for making this an option vs an all or nothing approach?

Eric

we use something like this:

normal user:
admin

ssh cert user:
admin-cert

just use a different login for the cert user. its good practice anyhow.

I understand but I have 100's of devices already programmed the "old way."

You can create a new login for your techs and leave the automated one alone.

that is why i suggested to use RADIUS path - set all devices to use radius, and then create users there. Local users on the router will still work.