EdgeRouter - SSH Recovery


Overview


Readers will learn how to use the IPv6 SSH Recovery feature to connect to an otherwise inaccessible EdgeRouter.

NOTES & REQUIREMENTS: 
Applicable to the v1.10.0 EdgeOS firmware and higher on all EdgeRouter models. Please see the Related Articles below for more information.
 
Devices and tools used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. The SSH Recovery Feature
  3. SSH Recovery using the Discovery Tool
  4. SSH Recovery using Another EdgeRouter
  5. SSH Recovery using a Windows Client
  6. SSH Recovery using a macOS Client
  7. Related Articles

Frequently Asked Questions (FAQ)


Back to Top

What is SSH Recovery?

The SSH Recovery feature provides emergency SSH access to an EdgeRouter from a directly connected device using IPv6 link-local addresses.

 

This eliminates the need for a console cable.

When should SSH Recovery be used?

The feature can be used to access the EdgeRouter via SSH if it is otherwise inaccessible due to misconfiguration or other system failures.

When is SSH Recovery accessible?
SSH Recovery is started during the boot process and will be active for a total of 60 seconds. Afterwards, the process is terminated and will stop accepting new SSH connections (established sessions are kept alive). The default timers can be customized, see the section below.
Can SSH Recovery be accessed from the Internet or a remote IPv6 network?
No, the feature relies on using IPv6 link-local addresses which are not routable outside of the local network.
Do I need to provide user credentials to log in using SSH Recovery?
Yes, the EdgeRouter will prompt you to provide user credentials and does not allow unauthenticated users to access the device.
Which port and protocol is used by SSH Recovery?
The SSH Recovery feature uses TCP port 60257 by default. The listen port can be customized, see the section below.
Can I customize or disable the SSH Recovery feature?
Yes, see the section below.

The SSH Recovery Feature


Back to Top

topology.png

Like mentioned in the FAQ above, the SSH Recovery feature can be used to access the EdgeRouter via SSH if it is otherwise inaccessible due to misconfiguration or other system failures. The SSH Recovery feature is included in EdgeOS, starting from the v1.10.0 firmware release.

The recovery feature listens on all interfaces by default and relies on using IPv6 link-local addresses which are not routable outside of the local network. This means that only directly connected hosts will be allowed to connect to the EdgeRouter during the 60 second timer.


If desired, the SSH recovery feature can be customized or disabled completely. Follow the steps below to either modify the timers, define the listening interfaces and ports or to prevent the process from running during startup:

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. To modify the timer (default 60 seconds), run the following command:

set service ssh-recovery lifetime <seconds> | forever

3. Specify the listening interfaces and port with:

set service ssh-recovery listen-on <interface>
set service ssh-recovery port <port>

4. To completely disable the SSH recovery process, run the following command:

set service ssh-recovery disabled

5. Commit the changes and save the configuration.

commit ; save

ubiquiti_logo.png  SSH Recovery using the Discovery Tool


Back to Top

1. Download the Ubiquiti Device Discovery Tool from the official Download section.

2. Wait for the tool to finish discovering your devices.

NOTE: The Device Discovery tool will only find EdgeMAX devices that have IPv4 addresses configured.

3. Double click on the discovered EdgeRouter to see the device details.

4. Copy the Rescue IP Address into a separate text file and replace the interface identifier with the one used by your Ethernet adapter:

fe80::aacd:abff:fecd:abcd%<identifier>

5. See the Windows or macOS steps below on how to find your interface identifier and how to connect to the EdgeRouter.


ubiquiti_logo.png   SSH Recovery using Another EdgeRouter


Back to Top

The SSH Recovery process can also be initiated from another EdgeRouter by connecting to the IPv6 link-local address directly.

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Inter-connect the two EdgeRouters using the eth0 interfaces for example.

2. Ping the All Nodes IPv6 multicast group address from the secondary EdgeRouter.

ping6 ff02::1%eth0
NOTE: It is important to specify the interface identifier using the % symbol. In this example, eth0 is used on the secondary EdgeRouter.

3. If the EdgeRouter is accessible, it will reply with its IPv6 link-local address.

4. Verify the address by looking in the IPv6 neighbor discovery table.

show ipv6 neighbors 
fe80::aacd:abff:fecd:abcd dev eth- lladdr ab:cd:ab:cd:ab:cd router REACHABLE

5. Reboot the EdgeRouter to restart the IPv6 SSH Recovery timer.

6. Wait around 30 seconds before the EdgeRouter's SSH Recovery process has started.

7. Connect to the EdgeRouter using the ssh command on TCP port 60257 (replace <username> with your credentials).

ssh <username>@fe80::aacd:abff:fecd:abcd%eth0 -p 60257

windows.png   SSH Recovery using a Windows Client


Back to Top

Follow the steps below to discover the EdgeRouter's IPv6 link-local address from a Windows client and start the SSH recovery process.

1. Open the Windows Command Prompt or PowerShell.

2. Display the output of the IPv6 routing table and interface identifiers.

route print -6
===========================================================================
Interface List
2...aa bb cc dd ee ff ......Ethernet Adapter
1...........................Software Loopback Interface
===========================================================================

3. Take note of the interface identifier of the Ethernet adapter (2 in this example).

4. Ping the All Nodes IPv6 multicast group address from the Windows client.

ping ff02::1%2
NOTE: It is important to specify the interface identifier using the % symbol. In this example, 2 is used on the Windows client.

5. If the EdgeRouter is accessible, its IPv6 link-local address will be in the IPv6 neighbor discovery table.

6. Use the netsh command to view the IPv6 neighbor discovery table under the Ethernet adapter section.

netsh interface ipv6 show neighbors

Interface 2: Ethernet Adapter

Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
fe80::aacd:abff:fecd:abcd 78-8a-20-46-61-6a Reachable (Router)
...

7. Copy the IPv6 link-local address into a separate text file and add the interface identifier.

fe80::aacd:abff:fecd:abcd%2

8. Reboot the EdgeRouter to restart the IPv6 SSH Recovery timer.

9. Wait around 30 seconds before the EdgeRouter's SSH Recovery process has started.

10. Connect to the EdgeRouter using SSH on TCP port 60257.


In this example, we are using PuTTY as the SSH client:

putty.png


macos.png   SSH Recovery using a macOS Client


Back to Top

Follow the steps below to discover the EdgeRouter's IPv6 link-local address from a macOS client and start the SSH recovery process.

1. Open the macOS Terminal.

2. Display the output of the network interface(s) using the ifconfig command.

ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

3. Take note of the interface name of the Ethernet adapter (en0 in this example).

4. Ping the All Nodes IPv6 multicast group address from the macOS client.

ping6 ff02::1%en0
NOTE: It is important to specify the interface identifier using the % symbol. In this example, en0 is used on the macOS client.

5. If the EdgeRouter is accessible, its IPv6 link-local address will be in the IPv6 neighbor discovery table.

6. Use the ndp command to view the IPv6 neighbor discovery table.

ndp -an
Neighbor Linklayer Address Netif Expire St Flgs Prbs
fe80::aacd:abff:fecd:abcd%en0 78:8a:20:40:41:2d en0 23h58m18s R R
...

7. Copy the IPv6 link-local address and the interface identifier into a separate text file.

fe80::aacd:abff:fecd:abcd%en0

8. Reboot the EdgeRouter to restart the IPv6 SSH Recovery timer.

9. Wait around 30 seconds before the EdgeRouter's SSH Recovery process has started.

10. Connect to the EdgeRouter using the ssh command on TCP port 60257 (replace <username> with your credentials).

ssh <username>@fe80::aacd:abff:fecd:abcd%en0 -p 60257

Related Articles


Back to Top

EdgeRouter - TFTP Recovery

EdgeRouter - Manual TFTP Recovery

EdgeRouter - How to Find Device MAC Address


We're sorry to hear that!