Versions Compared

Old Version 1

changes.mady.by.user Unknown User (emils)

Saved on

compared with

New Version 10

changes.mady.by.user Matīss O.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

SSH Server

RouterOS has built in SSH server that is enabled by default and is listening for incoming connections on port TCP/22. It is possible to change the port and disable the server under Services menu.

...

PropertyDescription
allow-none-crypto (yes|no; Default: no)Whether to allow connection if cryptographic algorithms are set to none.
always-allow-password-login (yes | no; Default: no)Whether to allow password login at the same time when public key authorization is configured for a user.
forwarding-enabled (both | local | no | remote; Default: no)Allows to control which SSH forwarding method to allow:
  • no - SSH forwarding is disabled;
  • local - Allow SSH clients to originate connections from the server(router), this setting controls also dynamic forwarding;
  • remote - Allow SSH clients to listen on the server(router) and forward incoming connections;
  • both - Allow both local and remote forwarding methods.
host-key-size (1024 | 1536 | 2048 | 4096 | 8192; Default: 2048)What RSA key size to use when host key is being regenerated.
host-key-type (ed25519 | rsa; Default: rsa)Select host key type
strong-crypto (yes | no; Default: no)Use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones:
  • prefer use 256 and 192 bit encryption instead of 128 bits;
  • disable null encryption;
  • prefer use sha256 for hashing instead of sha1;
  • disable md5;
  • use 2048bit prime for Diffie-Hellman exchange instead of 1024bit.

...

PropertyDescription
export-host-key (key-file-prefix)Export public and private RSA/DSA keys Ed25519 to files. Command takes one parameter:
  • key-file-prefix - used prefix for generated files, for example, prefix 'my' will generate files 'my_rsa', 'my_rsa.pub' etc.
import-host-key (private-key-file)Import and replace private DSA/ RSA key from specified file. Command takes one parameter:
  • private-key-file - name of the private RSA /DSA key file
regenerate-host-key ()Generated new and replace current set of private keys (DSA, RSA/Ed25519) on the router. Be aware that previously imported keys might stop working.
Note

Exporting the SSH host key requires "sensitive" user policy.

Enabling PKI authentication

Example of importing public key for user admin

Generate SSH keys on the client device (the device you will connect from). Upload the public SSH key to the router and import it.

...

For testing or security reasons it may be required to log - in to other host using certain source address of the connection. In this case src-address=<ip address> argument has to be used. Note that IP address in this case supports both, IPv4 and IPv6.

...

Example of importing private key for user admin

First of all, export currently generated SSH keys to a file:

...

Two files admin_rsa and admin_rsa.pub will be generated. The pub file needs to be trusted on the SSH server side . (how to enable SSH PKI on RouterOS) The private key has to be added for the particular user.

...

Warning

If the server does not support pseudo-tty (ssh -T or ssh host command), like mikrotik MikroTik ssh server, then it is not possible to send multiline commands via SSH

...

Note

For security reasons, plain text password input is not allowed. To ensure safe execution of the command remotely, use SSH key PKI authentication for users on both sides.
An example of how to configure RSA key pair authentication can be found in: https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login)


Warning

the The user group and script policy executing the command requires test permission

...