EdgeRouter - SSH Recovery
Overview
Readers will learn how to use the IPv6 SSH Recovery feature to connect to an otherwise inaccessible EdgeRouter.
- Applicable to the v1.10.0+ and v2.0.0+ EdgeOS firmware versions on all EdgeRouter models.
Table of Contents
- Frequently Asked Questions (FAQ)
- The SSH Recovery Feature
- SSH Recovery using Another EdgeRouter
- SSH Recovery using a Windows Client
- SSH Recovery using a macOS Client
- Related Articles
Frequently Asked Questions (FAQ)
What is SSH Recovery?
The SSH Recovery feature provides emergency SSH access to an EdgeRouter from a directly connected device using IPv6 link-local addresses.
This eliminates the need for a console cable. |
When should SSH Recovery be used?
The feature can be used to access the EdgeRouter via SSH if it is otherwise inaccessible due to misconfiguration or other system failures. |
When is SSH Recovery accessible?
SSH Recovery is started during the boot process and will be active for a total of 60 seconds. Afterwards, the process is terminated and will stop accepting new SSH connections (established sessions are kept alive). The default timers can be customized, see the section below.
|
Can SSH Recovery be accessed from the Internet or a remote IPv6 network?
No, the feature relies on using IPv6 link-local addresses which are not routable outside of the local network.
|
Do I need to provide user credentials to log in using SSH Recovery?
Yes, the EdgeRouter will prompt you to provide user credentials and does not allow unauthenticated users to access the device.
|
Which port and protocol is used by SSH Recovery?
The SSH Recovery feature uses TCP port 60257 by default. The listen port can be customized, see the section below.
|
Can I customize or disable the SSH Recovery feature?
Yes, see the section below.
|
The SSH Recovery Feature
Like mentioned in the FAQ above, the SSH Recovery feature can be used to access the EdgeRouter via SSH if it is otherwise inaccessible due to misconfiguration or other system failures. The SSH Recovery feature is included in EdgeOS, starting from the v1.10.0 firmware release.
The recovery feature listens on all interfaces by default and relies on using IPv6 link-local addresses which are not routable outside of the local network. This means that only directly connected hosts will be allowed to connect to the EdgeRouter during the 60 second timer.
If desired, the SSH recovery feature can be customized or disabled completely. Follow the steps below to either modify the timers, define the listening interfaces and ports or to prevent the process from running during startup:
1. Enter configuration mode.
configure
2. To modify the timer (default 60 seconds), run the following command:
set service ssh-recovery lifetime <seconds> | forever
3. Specify the listening interfaces and port with:
set service ssh-recovery listen-on <interface>
set service ssh-recovery port <port>
4. To completely disable the SSH recovery process, run the following command:
set service ssh-recovery disabled
5. Commit the changes and save the configuration.
commit ; save
SSH Recovery using Another EdgeRouter
The SSH Recovery process can also be initiated from another EdgeRouter by connecting to the IPv6 link-local address directly.
1. Inter-connect the two EdgeRouters using the eth0 interfaces for example.
2. Ping the All Nodes IPv6 multicast group address from the secondary EdgeRouter.
ping6 ff02::1%eth0
%
symbol. In this example, eth0 is used on the secondary EdgeRouter.3. If the EdgeRouter is accessible, it will reply with its IPv6 link-local address.
4. Verify the address by looking in the IPv6 neighbor discovery table.
show ipv6 neighbors
fe80::aacd:abff:fecd:abcd dev eth- lladdr ab:cd:ab:cd:ab:cd router REACHABLE
5. Reboot the EdgeRouter to restart the IPv6 SSH Recovery timer.
6. Wait around 30 seconds before the EdgeRouter's SSH Recovery process has started.
7. Connect to the EdgeRouter using the ssh command on TCP port 60257 (replace <username> with your credentials).
ssh <username>@fe80::aacd:abff:fecd:abcd%eth0 -p 60257
SSH Recovery using a Windows Client
Follow the steps below to discover the EdgeRouter's IPv6 link-local address from a Windows client and start the SSH recovery process.
1. Open the Windows Command Prompt or PowerShell.
2. Display the output of the IPv6 routing table and interface identifiers.
route print -6
===========================================================================
Interface List
2...aa bb cc dd ee ff ......Ethernet Adapter
1...........................Software Loopback Interface
===========================================================================
3. Take note of the interface identifier of the Ethernet adapter (2 in this example).
4. Ping the All Nodes IPv6 multicast group address from the Windows client.
ping ff02::1%2
%
symbol. In this example, 2 is used on the Windows client.5. If the EdgeRouter is accessible, its IPv6 link-local address will be in the IPv6 neighbor discovery table.
6. Use the netsh command to view the IPv6 neighbor discovery table under the Ethernet adapter section.
netsh interface ipv6 show neighbors
Interface 2: Ethernet Adapter
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
fe80::aacd:abff:fecd:abcd aa-bb-cc-dd-ee-ff Reachable (Router)
...
7. Copy the IPv6 link-local address into a separate text file and add the interface identifier.
fe80::aacd:abff:fecd:abcd%2
8. Reboot the EdgeRouter to restart the IPv6 SSH Recovery timer.
9. Wait around 30 seconds before the EdgeRouter's SSH Recovery process has started.
10. Connect to the EdgeRouter using SSH on TCP port 60257.
In this example, we are using PuTTY as the SSH client:
SSH Recovery using a macOS Client
Follow the steps below to discover the EdgeRouter's IPv6 link-local address from a macOS client and start the SSH recovery process.
1. Open the macOS Terminal.
2. Display the output of the network interface(s) using the ifconfig command.
ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
3. Take note of the interface name of the Ethernet adapter (en0 in this example).
4. Ping the All Nodes IPv6 multicast group address from the macOS client.
ping6 ff02::1%en0
%
symbol. In this example, en0 is used on the macOS client.5. If the EdgeRouter is accessible, its IPv6 link-local address will be in the IPv6 neighbor discovery table.
6. Use the ndp command to view the IPv6 neighbor discovery table.
ndp -an
Neighbor Linklayer Address Netif Expire St Flgs Prbs
fe80::aacd:abff:fecd:abcd%en0 aa:bb:cc:dd:ee:ff en0 23h58m18s R R
...
7. Copy the IPv6 link-local address and the interface identifier into a separate text file.
fe80::aacd:abff:fecd:abcd%en0
8. Reboot the EdgeRouter to restart the IPv6 SSH Recovery timer.
9. Wait around 30 seconds before the EdgeRouter's SSH Recovery process has started.
10. Connect to the EdgeRouter using the ssh command on TCP port 60257 (replace <username> with your credentials).
ssh <username>@fe80::aacd:abff:fecd:abcd%en0 -p 60257