SSH Server
RouterOS has built in SSH (SSH v2) server that is enabled by default and is listening for incoming connections on port TCP/22. It is possible to change the port and disable the server under Services menu.
Properties
Sub-menu: /ip ssh
Property | Description |
---|---|
allow-none-crypto (yes|no; Default: no) | Whether to allow connection if cryptographic algorithms are set to none. |
always-allow-password-login (yes | no; Default: no) | Whether to allow password login at the same time when public key authorization is configured for a user. |
forwarding-enabled (both | local | no | remote; Default: no) | Allows to control which SSH forwarding method to allow:
|
host-key-size (1024 | 1536 | 2048 | 4096 | 8192; Default: 2048) | RSA key size when host key is being regenerated. |
host-key-type (ed25519 | rsa; Default: rsa) | Select host key type |
strong-crypto (yes | no; Default: no) | Use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones:
|
Commands
Property | Description |
---|---|
export-host-key (key-file-prefix) | Export public and private RSA/Ed25519 to files. Command takes two parameters:
Host keys are exported in PKCS#8 format. |
import-host-key (private-key-file) | Import and replace private RSA/Ed25519 key from specified file. Command takes two parameters:
Private key is supported in PEM or PKCS#8 format. |
regenerate-host-key () | Generated new and replace current set of private keys (RSA/Ed25519) on the router. Be aware that previously imported keys might stop working. |
Exporting the SSH host key requires "sensitive" user policy.
Enabling PKI authentication
Example of importing public key for user admin
Generate SSH keys on the client device (the device you will connect from). Upload the public SSH key to the router and import it.
/user ssh-keys import public-key-file=id_rsa.pub user=admin
SSH Client
Sub-menu: /system ssh
Simple log-in to remote host
It is able to connect to remote host and initiate ssh session. IP address supports both IPv4 and IPv6.
/system ssh 192.168.88.1 /system ssh 2001:db8:add:1337::beef
In this case user name provided to remote host is one that has logged into the router. If other value is required, then user=<username> has to be used.
/system ssh 192.168.88.1 user=lala /system ssh 2001:db8:add:1337::beef user=lala
Log-in from certain IP address of the router
For testing or security reasons it may be required to log in to other host using certain source address of the connection. In this case src-address=<ip address> argument has to be used. Note that IP address in this case supports both, IPv4 and IPv6.
/system ssh 192.168.88.1 src-address=192.168.89.2 /system ssh 2001:db8:add:1337::beef src-address=2001:db8:bad:1000::2
in this case, ssh client will try to bind to address specified and then initiate ssh connection to remote host.
Log-in using RSA public/private key
Example of importing private key for user admin
First, export currently generated SSH keys to a file:
/ip ssh export-host-key key-file-prefix=admin
Two files admin_rsa and admin_rsa.pub will be generated. The pub file needs to be trusted on the SSH server side (how to enable SSH PKI on RouterOS) The private key has to be added for the particular user.
/user ssh-keys private import user=admin private-key-file=admin_rsa
Only user with full rights on the router can change 'user' attribute value under /user ssh-keys private
After the public key is installed and trusted on the SSH server, a PKI SSH session can be created.
/system ssh 192.168.1.1
Watch how to:
Log in wih an RSA key.
Log in with ed25519.
Executing remote commands
To execute remote command it has to be supplied at the end of log-in line
/system ssh 192.168.88.1 "/ip address print" /system ssh 192.168.88.1 command="/ip address print" /system ssh 2001:db8:add:1337::beef "/ip address print" /system ssh 2001:db8:add:1337::beef command="/ip address print"
If the server does not support pseudo-tty (ssh -T or ssh host command), like MikroTik ssh server, then it is not possible to send multiline commands via SSH
For example, sending command "/ip address \n add address=1.1.1.1/24"
to MikroTik router will fail.
If you wish to execute remote commands via scripts or scheduler, use command ssh-exec.
SSH exec
Sub-menu: /system ssh-exec
Command ssh-exec is a non-interactive ssh command, thus allowing to execute commands remotely on a device via scripts and scheduler.
Retrieve information
The command will return two values:
- exit-code: returns 0 if the command execution succeeded
- output: returns the output of remotely executed command
Example: Code below will retrieve interface status of ether1 from device 10.10.10.1 and output the result to "Log"
:local Status ([/system ssh-exec address=10.10.10.1 user=remote command=":put ([/interface ethernet monitor [find where name=ether1] once as-value]->\"status\")" as-value]->"output") :log info $Status
For security reasons, plain text password input is not allowed. To ensure safe execution of the command remotely, use SSH PKI authentication for users on both sides.
The user group and script policy executing the command requires test permission
Watch how to execute commands through SSH.