Remote ssh_RUT36X_R_00.07.04.3

jean-francois.sauzet · September 12, 2023, 10:27am

Hi,

I need to connect via SSH to a rut360 router.
I have configured access control and firewall :

System/Administration/Acess control
Enable SSH access : on
Remote SSH access : on
Port :22
Enable key-based authentication : off

Network/Firewall/Port Forwards
Firewall - Port Forwards - remote_22
Enable : on
Name : remote_2
Protocol : TCP
Source zone wan: wan/wan6/mob1s2a1/mob1s1a1
Source MAC address : any
Source IP address : any
Source port : any
External IP address : any
External port : 22
Internal zone lan: lan
Internal IP address : 10.112.14.1
Internal port : 22
Enable NAT Loopback : off
Extra arguments : -c

Network/Firewall/Traffic Rules
Firewall - Traffic Rules - SSH_22
Enable : on
Name : SSH_22
Restrict to address family : IPV4 and IPV6
Protocol : TCP
Source zone wan : wan/wan6/mob1s2a1/mob1s1a1
Source MAC address : any
Source IP address : any
Source port :
Destination zone : Device (input)
Destination address : 10.112.14.1
Destination port : 22
Action : Accept
Match :
Extra arguments :
Week Days :
Month Days :
Start Time (hh:mm:ss) :
Stop Time (hh:mm:ss) :
Start Date (yyyy-mm-dd) :
Stop Date (yyyy-mm-dd) :
Time in UTC : off

Port 22 is accessible, I have confirmation via msdos.
C:>telnet 188.xx.1xx.1xx 22
SSH-2.0-dropbear
¶ïÙ║w]@ìh∟ìúþ[ö▼òcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,
kexguess2@matt.ucc.asn.au4ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-256,ssh-rsa3chacha20-poly1305@openssh.com,aes128-ctr,
aes256-ctr3chacha20-poly1305@openssh.com,aes128-ctr,aes256-ctr↨hmac-sha1,hmac-sha2-256↨hmac-sha1,hmac-sha2-256♦none♦noneí║-³®}*O

However, with Putty I can’t connect using ssh.
Connecting to the web interface using another port works without a problem.

Any ideas?
Thanks

Daumantas · September 12, 2023, 10:52am

Hello,

Once the “Enable remote SSH access” option is enabled, no other rules need to be added. In your case, it seems like you have added a port forward, which will take priority over the rules generated by the router. Port forward is not the correct option to use, as it’s intended to forward the traffic to LAN, and not the device itself.
The only rule that should be present is this:

And it can be found in Network → Firewall → Traffic Rules. Make sure to delete the port forward before continuing testing.
A few more things:

Change the MTU of the mobile interface.
This can be done by navigating to Network → Interfaces → General, editing the mob1s1a1 interface, and in the Advanced settings tab, set the Override MTU option to 1420. Check if the issue is still present;
Make sure that known_hosts file does not contain the entry from RUT360 that was running an older firmware.
The reason is that the old RSA keys are no longer supported:

Let me know if any of these options help!

Best regards,

jean-francois.sauzet · September 12, 2023, 1:57pm

I modified the conf for the first points.
In putty, I still get the message :
“Server’s host key did not match the signature supplied”

I couldn’t check the known hosts file
where is it ?
How do I delete the old RSA keys?

Best regards

Daumantas · September 13, 2023, 5:45am

Hello,

PuTTY known_host files can be difficult to access, as it requires editing the registry. The list can be found by navigating to HKEY_CURRENT_USER\SoftWare\SimonTatham\PuTTY\SshHostKeys via the regedit.exe application (built-into Windows).

Best regards,