Please don't enable HSTS if you are going to mess around the server cert on upgrade!
Then I ssh’ed to the server and the finderprint of the server has been changed!
$ ssh nuc13-kvm
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:2bGfdAp+D1Jh19XmmcJ6Wpmj+SmTAeHDDZoencA5Tk8.
Please contact your system administrator.
Add correct host key in /Users/jason/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/jason/.ssh/known_hosts:43
Host key for nuc13-kvm has changed and you have requested strict checking.
Host key verification failed.
And I couldn’t log into ssh with my identity file since the file /root/.ssh/authorized_keys has been removed!
An upgrade should never messes these security files!
Please be careful and conscious about upgrade delivery!
To be fair this also happens every time a router is flashed with a new release. It's just 'the nature of the beast'. You'd have to backup/restore the private/pubkeys for ssh ea. time afterwards.
I don’t know what router you use. All the routers, network equipment, IP cams, NAS and so on I use since 1990, none of them have ever forgetten my network settings nor credentials by updating firmware. From crappy TP-Link, to Linksys, to Huawei, to Unifi, to Ring, to Nest, they know what files are replaced / generated by every single user.
Can you imagine working in the custom support team and answer the angry customer phone calls?
Slate AX, Flint v1, Certa, UBNT, etc. GL.iNet firmware and pure OWRT, situation dependent. These GL devices aren't like the disposable devices you cite. They're SBCs more like a RPi than IoT devices or Cisco iOS.
I don't have Comet as I'm holding off until the real world reports of the Comet Pro start coming in but I'm to understand these units run on PiKVM. GL has a GitHub repo for their fork. Why don't you fork their fork, roll your own images which includes pulling down whatever deps you specifically need for your env & private repos?
Heck, if you really want to get all kinds of crazy, fork & adapt ansible-pikvm! Be sure to publish Ansible Galaxy so you can get others out of the same annoyance you find yourself in!
You call devices from UBNT, Linksys, Nest, Ring, Synology and TrueNAS disposable? Haha, those disposable devices back up their configuration before upgrade and restore full functionality without human intervention.
Then what do you call a non-disposal single function appliance requires a profession to upgrade firmware? It is not even funny.
And you ask me to work for Gl-inet for free? Unlike you, I paid for the device!
For someone using a UUID as username, I am not surprised.
I'm sorry for the problems caused by the upgrade. I fully understand your usage scenario and purpose.
Currently, certificates and keys are not standard features of the firmware, so we ignored this in our testing phase. To facilitate more users, we will add a UI management interface for the certificate and SSH key functions in the future, making it more convenient for users to use as a standard function.
So when are router users going to have the same feature, @robotluo ? This has been going on for years... yet GL.iNet never addresses it so we write our methods:
But you lot sure seem to find the dev time to add absurd, security theatre features such as:
Roll your own images which includes whatever deps you specifically need for your env & private repos?
Heck, if you really want to get all kinds of crazy, fork & adapt! Be sure to publish so you can get others out of the same annoyance you find yourself in!
