Can't login via SSH after upgrading from stock firmware

[ChristopherLi]

Help! I've taken the AsusWRT-Merlin plunge and everything seems to have gone fine.

I can login to the web interface using my username and password but can't login via SSH with the same credentials! I have tried disabling and re-enabling the SSH in settings but that didn't work.

I'm not sure what else to do. If anybody can give some insight or suggestions, I would really appreciate it.

Thanks

 

[ChristopherLi]

The username for my web interface login is not "admin". Using "admin" for username to login to SSH doesn't work, either.

 

[ChristopherLi]

It seems that AsusWRT-Merlin can't handle 17 character passwords. I'm wondering who I would contact to fix this bug? Thanks

 

[L&LD]

It seems that AsusWRT-Merlin can't handle 17 character passwords. I'm wondering who I would contact to fix this bug? Thanks

Asus.

(Not this forum).

 

[martinr]

It seems that AsusWRT-Merlin can't handle 17 character passwords. I'm wondering who I would contact to fix this bug? Thanks

1. Not that it appears to be relevant, but you didn't say whether you carried out a restore to factory default settings after flashing with Merlin.

2. Your username for ssh is the same username that you use for logging in to the webui, whatever that might be - default "admin" or otherwise if you changed it, as you should.

3. If the 16-character limit is by design (and I'm sure it is) them it can't, by definition, be called a bug.

4. Good practice dictates you use public key infrastructure (PKI) keys to secure your ssh connection and then use a passphrase as well. In fact I just checked: I'm using a 20-character passphrase on top of my ssh PKI keys.

 

[RMerlin]

It seems that AsusWRT-Merlin can't handle 17 character passwords. I'm wondering who I would contact to fix this bug? Thanks

Password length limitations are the same in both Asus's and my firmware. I've been reluctant to increase it for specifically the reason you mention (it would create chaos if someone were to revert back to the stock FW).

 

[ChristopherLi]

Incorrect. I had no problem with 17 character passwords with the original Asus firmware.

The web interface can handle long passwords but as soon as I change it to anything over 16 characters, I can't login to SSH. That is clearly a bug.

 

[RMerlin]

Incorrect. I had no problem with 17 character passwords with the original Asus firmware.

The web interface can handle long passwords but as soon as I change it to anything over 16 characters, I can't login to SSH. That is clearly a bug.

This is taken from Asus's 3.0.0.4.380_1354 source code:

<input type="password" autocomplete="off" name="http_passwd2" tabindex="2" onKeyPr
ess="return validator.isString(this, event);" onkeyup="chkPass(this.value, 'http_passwd');" onpaste="setTimeout('paste_password();
', 10)" class="input_18_table" maxlength="16" onBlur="clean_scorebar(this);" autocorrect="off" autocapitalize="off"/>

They limit the password length to 16 characters on the webui as seen there. If you had a longer password, it means you either set it a long time ago (before Asus limited it), or you didn't set it through the web interface, in which case there's no guarantee that this password won't cause buffer overruns elsewhere in the code. The whole code path would need to be analyzed to ensure that the password doesn't get truncated along the way by any buffer that's only 17 bytes long.

 

[PolarBear]

It seems that AsusWRT-Merlin can't handle 17 character passwords.

A few weeks ago I had a problem logging in via SSH using PuTTY from inside the LAN. (PuTTY 0.66, RT-AC66U, Merlin 378.56_2)

The problem resolved itself when I chose a password of 16 characters or less.

What I also found was that non-alphanumeric characters must be stored somewhere in format %AB, so for every non-alphanumeric character in my password, the maximum length was reduced by 2.

The dollar sign $ also seemed to be special and caused problems which went away when I avoided it in the password.

HTH PolarBear

 

[DiabolicallyRandom]

Sorry for the Necro-Bump here, and sorry if this is explained elsewhere, but google lead me directly to this thread, and since I assume it will lead others here, this seemed like valuable information to add.

This may just be a bug in the core asus webui, or it could be in Merlin. Not sure, but I have seen it suggested this behaves identically in native asus, in which case this is a core firmware bug / "feature". If anyone would be able to point me how I could file a bug report with Asus, that would be a good idea.

Here is what happens. When I "set" a password of a length longer than 16 in the WebUI, it doesn't throw any errors, it doesn't display any messages. It happily allows me to enter a password at any length I wish. What it does, is it truncates the password to 16 Characters, without even telling the user. Then, it does the same thing when logging in via the WebUI, it will truncate the input invisibly to 16 characters, even though it shows all the characters typed.

The end result is that you *think* your password is more than 16 characters, but the firmware has in the background been treating all passwords input as no more than 16 characters without any user feedback. So therefore, when you try and log into ssh with your full password, you get a password error. Only typing the first 16 characters of the password will result in ssh logging in successfully.

This seems like horrible behavior overall. Even setting aside password limits being a Bad Thing (TM), not at the very least giving a user feedback that half of their password is being ignored creates a really bad user experience (and false perception of secure passwords, since the online page still calculates its "strength" based off of the full input password, and not the actual 16 characters used). At the very least, if the limit is 16, the input fields should all be limited to 16, and/or throw errors when more than 16 characters are input.

 

[Grisu]

all correct but probably will be ignored, only Asus could fix it, but there are always more important issues.

 

[RMerlin]

Here is what happens. When I "set" a password of a length longer than 16 in the WebUI, it doesn't throw any errors, it doesn't display any messages. It happily allows me to enter a password at any length I wish. What it does, is it truncates the password to 16 Characters, without even telling the user. Then, it does the same thing when logging in via the WebUI, it will truncate the input invisibly to 16 characters, even though it shows all the characters typed.

This was recently improved by Asus. They made the field accept 17 chars instead of 16, and throw out a warning if you try to save a 17 chars long password.

 

[DiabolicallyRandom]

This was recently improved by Asus. They made the field accept 17 chars instead of 16, and throw out a warning if you try to save a 17 chars long password.

Thanks for the info - has this been merged into Merlin yet or is it for a future update?

Thanks for all you do on the custom firmware!

 

[RMerlin]

Thanks for the info - has this been merged into Merlin yet or is it for a future update?

Thanks for all you do on the custom firmware!

I don't remember when this was introduced.

 

[DiabolicallyRandom]

I don't remember when this was introduced.

Hi,

I just checked this again, and it looks like they must have changed yet again. The field only accepts 16 characters, but it doesn't give any indication that it is not accepting additional characters. I went to change my password, and it basically just stops typing at 16 characters without any visible / notification that its "max".

Not on you, obviously, but this is still not very user friendly on asus' part. They should give a popup or something if you keep trying to type after 16 characters. Depending on the browser, it's not easy to notice it's no longer accepting additional input.

 

[Poul Bak]

Hi,

I just checked this again, and it looks like they must have changed yet again. The field only accepts 16 characters, but it doesn't give any indication that it is not accepting additional characters. I went to change my password, and it basically just stops typing at 16 characters without any visible / notification that its "max".

Not on you, obviously, but this is still not very user friendly on asus' part. They should give a popup or something if you keep trying to type after 16 characters. Depending on the browser, it's not easy to notice it's no longer accepting additional input.

Even worse, if you copy and paste your password longer than 16 chars, then you have no clue whatsoever, that it's truncated.

I actually think , Asus should allow a much stronger password, a 16 character password can easily be 'brute force' attacked, if you allow internet access to the Webui.

 

[RMerlin]

Even worse, if you copy and paste your password longer than 16 chars, then you have no clue whatsoever, that it's truncated.

As I wrote above, that is no longer true.

They started implementing protection against that a few months ago (it might not be implemented on all models yet).

 

[sfx2000]

As I wrote above, that is no longer true.

View attachment 19598

They started implementing protection against that a few months ago (it might not be implemented on all models yet).

Depending on Stock firmware vs. AsusWRT/RMerlin - the guidance for 16 char limits is still valid - I'd rather see limits on the short end, making something like 8 or more...

 

[RMerlin]

Depending on Stock firmware vs. AsusWRT/RMerlin - the guidance for 16 char limits is still valid - I'd rather see limits on the short end, making something like 8 or more...

The issue here was people writing a password that was too long for the form, and unknowingly setting a different, truncated password than what they had in mind, leaving them locked out of their own router. What Asus did was to accept one more character than allowed, and display a warning if you try to save that 17 character password instead of the allowed 16 character max one.

 

[sfx2000]

The issue here was people writing a password that was too long for the form, and unknowingly setting a different, truncated password than what they had in mind, leaving them locked out of their own router. What Asus did was to accept one more character than allowed, and display a warning if you try to save that 17 character password instead of the allowed 16 character max one.

Could you imagine the nuts of something like this? (note, I didn't write this)

required pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}"
​

Password checking is a PITA...