Versions Compared

Old Version 26

changes.mady.by.user Matīss O.

Saved on

compared with

New Version 27

changes.mady.by.user Guntis G.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: typos

...

The settings submenu allows to control the password complexity requirements of the router users. 

PropertyDescription
minimum-password-length (integer; 0..4294967295; Default: )Specifies the minimum character length of the user password
minimum-categories (integer; 0..4; Default: )

Specifies the complexity requirements of the password, with categories being uppercase, lowercase, digit, symbol. 


...

PropertyDescription
name (string; Default: )The name of the user group
policy (local | telnet | ssh | ftp | reboot | read | write | policy | test | winbox | password | web | sniff | sensitive | api | romon | dude | tikapp; Default: none)List of allowed policies:


Login policies:

  • local - policy that grants rights to log in locally via console
  • telnet - policy that grants rights to log in remotely via telnet
  • ssh - policy that grants rights to log in remotely via secure shell protocol
  • web - policy that grants rights to log in remotely via WebFig.
  • winbox - policy that grants rights to log in remotely via WinBox and bandwidth test authentication
  • password - policy that grants rights to change the password
  • api - grants rights to access router via API.
  • rest-api - grants rights to access the router via REST APIREST API.
  • ftp - policy that grants full rights to log in remotely via FTP.  Allows to read/write/erase files and to transfer files from/to the router. Should be used together with read/write policies.
  • romon - policy that grants rights to connect to the RoMon server.

Config Policies:

  • reboot - policy that allows rebooting the router
  • read - policy that grants read access to the router's configuration. All console commands that do not alter the router's configuration are allowed. Doesn't affect FTP
  • write - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well
  • policy - policy that grants user management rights. Should be used together with the write policy. Allows also to see global variables created by other users (requires also 'test' policy).
  • test - policy that grants rights to run ping, traceroute, bandwidth-test, wireless scan, snooper, fetch, email and other test commands
  • sensitive - grants rights to change "hide sensitive" option, if this policy is disabled sensitive information is not displayed.
  • sniff - policy that grants rights to use packet sniffer tool.
skin (name; Default: default)Used skin for WebFig

Default groups

There are three default system groups that which cannot be deleted:

Code Block
languageros
[admin@MikroTik] > /user group print 
0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=default 

1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude skin=default 

2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!dude skin=default

Please note, that even the "read" group includes sensitive, reboot, and other important policies, meaning that this group should not be given to untrusted users. For truly limited groups, make a custom group, defining specific policies. All groups have access to file operations. Exclamation sign '!' just before the policy item name means NOT.

Router Users

Router The router user database stores the information such as username, password, allowed access addresses, and group about router management personnel. 

...

PropertyDescription
address (IP/mask | IPv6 prefix; Default: )Host or network address from which the user is allowed to log in
group (string; Default: )Name of the group the user belongs to
name (string; Default: )User name. Although it must start with an alphanumeric character, it may contain "*", "_", ".", and "@" symbols.
password (string; Default: )User password. If not specified, it is left blank (hit [Enter] when logging in). It conforms to standard Unix characteristics of passwords and may contain letters, digits, "*" and "_" symbols.
last-logged-in (time and date; Default: "")Read-only field. Last time and date when a user logged in.

...

PropertyDescription
accounting (yes | no; Default: yes)
exclude-groups (list of group names; Default: )Exclude-groups consists consist of the groups that should not be allowed to be used for users authenticated by radius. If the radius server provides a group specified in this list, the default-group will be used instead.


This is to protect against privilege escalation when one user (without policy permission) can change the radius server list, set up its own radius server and

log in as admin.
default-group (string; Default: read)User group used by default for users authenticated via a RADIUS server.
interim-update (time; Default: 0s)Interim-Update time interval
use-radius (yes |no; Default: no)Enable user authentication via RADIUS

...

Warning

By default, User is not allowed to login log in via SSH by password if an SSH key for the user is added. More on For more details see the SSH page.

Public keys

This menu is used to import and list imported public keys. Public keys are used to approve another device's identity when logging into a router using an SSH key.

...

Info

RSA and Ed25519 keys are supported in PEM, PKCS#8, or OPENSSH OpenSSH format.

PropertyDescription
user (string; Default: )username to which the SSH key is assigned.
key-owner (string)SSH key owner
public-key-file (string)file name in the router's root directory containing the public key.

Private keys

This menu is used to import and list imported private keys. Private keys are used to approve a the router's identity during login into another device using an SSH key.

...

PropertyDescription
user (string; Default: )username to which the SSH key is assigned.
key-owner (string)SSH key owner
private-key-file (string)file name in the router's root directory containing the private key.
passphrase (string)key file passphrase

...