Noob question: I want to change host key on my Remarkable 2 tablet

Question

Noob question: I want to change host key on my Remarkable 2 tablet

Closed this issue 4 months ago · 2 comments

I can connect from the default SSH client on my MX Linux computer to dropbear on my Remarkable 2 tablet.

I want to use rclone to manage file transfers between these two devices. rclone fails to connect to dropbear.

According to an issue on the rclone forum, this problem can be solved by changing dropbear's host key from ed25519 (the configuration on the Remarkable 2 tablet) to rsa.

The Remarkable 2 regenerates the host key every time dropbearkey.service is restarted, i.e. on every reboot. This is the relevant service file:

[Unit]
Description=SSH Host Key Generation
RequiresMountsFor=/var /var/lib
ConditionPathExists=!/etc/dropbear/dropbear_ed25519_host_key
ConditionPathExists=!/var/lib/dropbear/dropbear_ed25519_host_key
Wants=etc-dropbear.mount
After=etc-dropbear.mount

[Service]
Environment="DROPBEAR_ED25519KEY_DIR=/etc/dropbear"
EnvironmentFile=-/etc/default/dropbear
Type=oneshot
ExecStart=/bin/mkdir -p ${DROPBEAR_ED25519KEY_DIR}
ExecStart=/usr/sbin/dropbearkey -t ed25519 -f ${DROPBEAR_ED25519KEY_DIR}/dropbear_ed25519_host_key
RemainAfterExit=yes
Nice=10

Based on the output of dropbearkey -h I assume that the most minimal change to get an RSA host key is to change this line of the service:

ExecStart=/usr/sbin/dropbearkey -t ed25519 -f ${DROPBEAR_ED25519KEY_DIR}/dropbear_ed25519_host_key

to:

ExecStart=/usr/sbin/dropbearkey -t rsa -f ${DROPBEAR_ED25519KEY_DIR}/dropbear_ed25519_host_key

Please would someone sanity check this for me? I'm worried that if I mess up dropbear then I will lose the ability to connect via SSH to my tablet.

Answer 1 · 2024-05-26T10:34:04.000Z

The problem is that Dropbear version has a bug where it'll offer RSA even if there's no key available, and then crash. (The bug's fixed in a newer version).

The first thing to try might be to add --sftp-host-key-algorithms ed25519 to rclone, that won't have any risk on the device itself. https://rclone.org/sftp/#sftp-host-key-algorithms

Otherwise, I think you should be able to just add one extra ExecStart line on the Remarkable to create the rsa key in the default location, and Dropbear will then use that. Keep the existing Execstart ...dropbearkey -t ed25519 line, and after it add

ExecStart=/usr/sbin/dropbearkey -t rsa -f ${DROPBEAR_ED25519KEY_DIR}/dropbear_rsa_host_key

You could run that from a commandline to try.

Keep a couple of backup SSH windows open if you're editing things, then there's better chance for recovery if something goes wrong.

Answer 2 · 2024-05-26T13:43:52.000Z

Thank you @mkj !

Adding --sftp-host-key-algorithms ssh-ed25519 to my rclone commands worked. I don't need to change anything on the tablet. What a relief! 😁