Small but useful argument to /system reset

baldaszti · Thu Jul 21, 2011 3:17 pm

Hi,

I would like to suggest a feature, it would be really-really nice to have a
keep-sshkeys
option or similar to /system reset-configration command. The only way to load a configuration without failures (due to differences in "add" and "set") is this command with run-after-reset option, but unfortunatelly it regenerates ssh keys too which makes it unusable. If it could preserve it's digital identity, my problem would be solved.

janisk · Fri Jul 22, 2011 4:15 pm

that would mean, that someone could completely reconfigure your router and you would not notice that something has changes and would use compromised router. I guess you do not want that to happen, do you?

at least this is how i look at that.

Mon Jul 25, 2011 9:20 am

baldaszti how would you use this? why do you need to reset something, and keep the users? reset means reset, remove all config. if you want to reconfigure only some part, use IMPORT command to set new values to existing config, without reset.

baldaszti · Mon Aug 08, 2011 2:21 pm

baldaszti how would you use this? why do you need to reset something, and keep the users? reset means reset, remove all config. if you want to reconfigure only some part, use IMPORT command to set new values to existing config, without reset.

Hi normis,

We've bought over 10 devices and I have to send configuration from a central management system via ssh (scp+import). I need to reset config because /export generates "add" command (in /ip address for example) which will obviously fail on /import. There's no way to generate and send differential commands, our company's policy demands that the central management must contain exactly the same config as the device's.

Mon Aug 08, 2011 2:28 pm

not necessarily. you can edit the RSC file and issue "remove" commands before adding the new addresses. RSC (Import) file is basically a file that contains RouterOS commands. whatever you can do in console, you can do from this file. This way you can issue commands to remove all other config, and apply only what is needed.

baldaszti · Mon Aug 08, 2011 2:50 pm

not necessarily. you can edit the RSC file and issue "remove" commands before adding the new addresses. RSC (Import) file is basically a file that contains RouterOS commands. whatever you can do in console, you can do from this file. This way you can issue commands to remove all other config, and apply only what is needed.

As I mentioned I cannot edit the RSC file (nor by manually due to number of devices, nor by script due to company policy). Why is it a big deal to keep keys like user information during reset? Call it "keep-identity" if you like. Please, we cannot use your devices until there's a method of saving and restoring configuration in a human readable format (containing cli commands) without loosing the router's identity. I wouldn't ask if I could find any other solution.

baldaszti · Mon Aug 08, 2011 2:53 pm

that would mean, that someone could completely reconfigure your router

You are wrong. To do so you would need a key authenticated ssh prompt (which I cannot use now, since the router's identity changes).

Mon Aug 08, 2011 2:56 pm

creating a new function in RouterOS is not so easy.

somebody else will ask for "keep wireless keys", "keep user manager db", "keep routes" etc. we need to figure out a solution that helps everyone

for rapid config of routers with RSC files, you can also use Flashfig:

http://wiki.mikrotik.com/wiki/Manual:Flashfig

why can't you edit the RSC files?

baldaszti · Mon Aug 08, 2011 3:33 pm

creating a new function in RouterOS is not so easy.

somebody else will ask for "keep wireless keys", "keep user manager db", "keep routes" etc. we need to figure out a solution that helps everyone

"keep-identity" looks quite universal to me. I'm not talking about routes, wifis and other provided services, but the safe identification of the router itself on management side.

for rapid config of routers with RSC files, you can also use Flashfig:
http://wiki.mikrotik.com/wiki/Manual:Flashfig

Flashfig is not an option since the routers are not on the same l2 network (in fact they are hundreds of km away), neither use our cms windows. I've already integrated routeros to our cms, I can read and upload configuration perfectly, I only need a way to load an unmodified /extract output without failures or loosing the router's identity.

why can't you edit the RSC files?

As I've told you by hand it would take too much time, and our company policy does not allow scripts (no home-made configuration manipulating script would ever pass on audit, it's a question of responsibility).

Mon Aug 08, 2011 3:35 pm

anyway, you still have only one option. tell the management that their policy is blocking your goal.

editing by hand will not take a lot of time. not more than configuring one router. just paste needed commands in a text file, that's it.

baldaszti · Mon Aug 08, 2011 3:55 pm

anyway, you still have only one option. tell the management that their policy is blocking your goal.

I cannot. We're administrating a huge amount of devices from different manufacturers, and RouterOS is the only one that fails. And it's not the management that write the rules, we got them from the auditor.

And I do have another option, ask the kind developer to put a small "if" statement in the code around the "rm .ssh/id" command (come on, we paid for a dozen level 6 licenses with support, shouldn't it be enough?).

editing by hand will not take a lot of time. not more than configuring one router. just paste needed commands in a text file, that's it.

Editing 1 configuration and about 20 DOES TAKE considerably more time. Not to mention the possibility of errors (typos or pasting the same management ip for more routers and other problems).

Mon Aug 08, 2011 3:57 pm

while you were writing this post, you would have completed editing the file. you only need to do this once, as you will use it for all the routers.

sorry but I can't help you in any other way. import/export was designed for this reason.

baldaszti · Mon Aug 08, 2011 4:16 pm

while you were writing this post, you would have completed editing the file. you only need to do this once, as you will use it for all the routers.

Sorry, but you're wrong. They use different ip addresses for example (as I wrote before) which involves human error that we cannot afford.

sorry but I can't help you in any other way. import/export was designed for this reason.

In this case why can't I import a config generated from export without modifications (adding plus remove commands)? Shouldn't it be so?

Chupaka · Mon Aug 08, 2011 4:51 pm

1) well, if 'keep-users' parameter of 'reset-configuration' is intended to save authentication info after reset, why can't it save SSH keys?..
2)

why can't I import a config generated from export without modifications (adding plus remove commands)? Shouldn't it be so?

to import 'file.rsc', try "/system reset-configuration run-after-reset=file.rsc"

baldaszti · Mon Aug 08, 2011 4:56 pm

1) well, if 'keep-users' parameter of 'reset-configuration' is intended to save authentication info after reset, why can't it save SSH keys?..

good point. I would be happy with this, it would solve my problem.

2) to import 'file.rsc', try "/system reset-configuration run-after-reset=file.rsc"

That's exactly what I'm trying to do. It works fine, the only problem is the loss of authentication (ssh key changed).

katherineeobryan · Tue Aug 09, 2011 9:17 am

The router 5.6 is great one and having the new features of configuration as well as the modulation of access and sharing.

baldaszti · Tue Aug 09, 2011 10:29 am

So what about preserving keys if "keep-users=yes" flag used? No new function involved, you don't even have to alter the documentation... Please, I really need this, and you can bet I'm not the only one who wants to restore full configuration.

fewi · Tue Aug 09, 2011 5:10 pm

So what about preserving keys if "keep-users=yes" flag used? No new function involved, you don't even have to alter the documentation... Please, I really need this, and you can bet I'm not the only one who wants to restore full configuration.

Indeed. I'd also rather like this.

baldaszti · Tue Aug 09, 2011 5:30 pm

The router 5.6 is great one and having the new features of configuration as well as the modulation of access and sharing.

What new fetaures of configuration do you mean?

Btw I tested 5.6 with factory default configuration, same results:

[admin@MikroTik] > /export file=test.rsc
[admin@MikroTik] > /import file=test.rsc 
Opening script file test.rsc

Script file loaded successfullyfailure: pool with such name exists
[admin@MikroTik] >

This is obviously a "no remove before add command" problem.

I also tried

/system reset-configuration run-after-reset=test.rsc

now the device is totally dead.

I cannot communicate with it, not by L2 (winbox simply does not see it, no response from device to udp/5678), nor L3 (no response to arp requests for 192.168.88.1). Just for the records I use direct cable which worked until the reset was performed. I dumped on the interface, I see only CDP announcements coming from the device, nothing else.

It seems to me that 5.6 is even buggier than 5.5.

Wed Aug 10, 2011 7:25 am

It seems to me that 5.6 is even buggier than 5.5.

where is the bug? that you ran import on a configured system? please read the manual on how import/export works.

Chupaka · Wed Aug 10, 2011 10:29 am

bug is in bricking after "/system reset-configuration", I think...

baldaszti · Wed Aug 10, 2011 10:34 am

It seems to me that 5.6 is even buggier than 5.5.
where is the bug? that you ran import on a configured system? please read the manual on how import/export works.

Dear normis,

Sorry, no offense, but you are a really bad reader. It was not a configured system, rather factory defaults. I know, that import does not work this way, I only checked it because you said so. I read the manual, not once, not twice to find a solution, so I really know what it says, belive me.

The bug I mentioned was not about export/import, but about system reset. I do the following:
1. hard reset the router to factory defaults
2. save default configuration to a file
3. perform a system reset with run-after-reset option, and load back default configuration from that file
This supposed to work, we can agree on that.

The results:
5.5 - works perfectly
5.6 - the device became inresponsible, only hard reset helped

And if you don't mind, I ask again, since I do not have an answer yet:
what about keeping the keys if "keep-users=yes" used? It would be really-really great. No new features required.

Wed Aug 10, 2011 10:35 am

you are right, run-after-reset doesn't work in v5.6

Chupaka · Wed Aug 10, 2011 10:58 am

doesn't work? but why even mac-winbox didn't work after reset?..

Wed Aug 10, 2011 11:00 am

doesn't work? but why even mac-winbox didn't work after reset?..

no, what our tests show, is that the import fails at user groups. the router is accessible over MAC address, basically you can say that it works like a regular system reset, and just doesn't import correctly.

baldaszti · Wed Aug 10, 2011 11:17 am

no, what our tests show, is that the import fails at user groups. the router is accessible over MAC address, basically you can say that it works like a regular system reset, and just doesn't import correctly.

I was unable to use winbox with MAC address (the popup list was empty). I suppose because the import was incorrect, the router left in an unspecified state. I can run further tests if you like and if it could help. I can also test it on a ppc based router as well (I used mips-be), but I don't think it would make any difference.

Wed Aug 10, 2011 11:34 am

try to do this on a router which has a serial port, and monitor what happens on the serial console. at least if MAC/IP connectivity is broken, you will still get access to RouterOS.

baldaszti · Wed Aug 10, 2011 12:28 pm

try to do this on a router which has a serial port, and monitor what happens on the serial console. at least if MAC/IP connectivity is broken, you will still get access to RouterOS.

That's strange, I did what you asked, but on an RB1200 with routeros-powerpc-5.6.npk the problem does not show up. It fails to load the configuration, but I can access the device via winbox. It seems that the hangup problem is limited to routeros-mipbe-5.6.npk only (tested on RB750G). Is there any plus information that can help?

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    ether1
[admin@MikroTik] > /export file=test.rsc
[admin@MikroTik] > /system reset-configuration run-after-reset=test.rsc
Dangerous! Reset anyway? [y/N]:
y
system configuration will be reset


Rebooting...
Stopping services...
Restarting system.


RouterBOOT booter 2.33

RouterBoard 1200

CPU frequency: 1000 MHz
  Memory size: 1024 MB

Press any key within 2 seconds to enter setup..
loading kernel from nand... OK
setting up elf image... OK
jumping to kernel code
Starting...
Generating SSH RSA key...
Generating SSH DSA key...
Starting services...
MikroTik 5.6
         --- ascii art removed ---
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
[admin@MikroTik] >

Wed Aug 10, 2011 12:32 pm

I did my test on a RB751U (mips-be) and also didn't have the problem. Maybe it was a coincidence.

baldaszti · Wed Aug 10, 2011 2:04 pm

I did my test on a RB751U (mips-be) and also didn't have the problem. Maybe it was a coincidence.

I agree, I can't reproduce the error either, it had to be a one-time coincidence. So please forget it, and focus on config loading issue.

Wed Aug 10, 2011 2:06 pm

I did my test on a RB751U (mips-be) and also didn't have the problem. Maybe it was a coincidence.
I agree, I can't reproduce the error either, it had to be a one-time coincidence. So please forget it, and focus on config loading issue.

our developers already have fixed it, it will work in v5.7

baldaszti · Wed Aug 10, 2011 2:10 pm

our developers already have fixed it, it will work in v5.7

Great, thanks! Is it possible by any chance that in v5.7 it will keep the keys if "keep-users=yes" used...?

Wed Aug 10, 2011 2:14 pm

I will see what we can do about it.

baldaszti · Wed Aug 10, 2011 4:07 pm

I will see what we can do about it.

Thank you very much!

Thu Aug 11, 2011 11:50 am

I will see what we can do about it.
Thank you very much!

line from the new 5.7 build (not public)

What's new in 5.7 (2011-Aug-11 10:12):

*) system reset-configuration - if keep-users is specified ssh user keys are
preserved as well;

Chupaka · Thu Aug 11, 2011 12:28 pm

hmmm... I re-read the topic, and now I have a small question: will router's ssh key change?.. seem like it's all about router identity, not user identity %)

Thu Aug 11, 2011 12:33 pm

I don't understand your question

Chupaka · Thu Aug 11, 2011 1:14 pm

Starting...
Generating SSH RSA key...
Generating SSH DSA key...

and when you connect to router via SSH, it says something like 'warning, SSH footprint has changed, possible attack, bla-bla-bla' - is it possible to keep that host key after reset too?..

Thu Aug 11, 2011 1:54 pm

No, host keys will not be kept during reset. To get rid of warnings, You will have to remove old saved keys from your PC.

baldaszti · Fri Aug 12, 2011 2:44 pm

Yes, I also think there's a misunderstanding here. Sorry if I was ambiguous, by ssh keys I meant the keys that identifies the device on ssh connection, and that said to be regenerated on reset. It's really good that user keys kept, I would also need that later, but I can't make it so far since the ssh complains about the host key. Can you keep it too? I think "keep-users" is a good flag for that, since it's useless if you wipe out users anyway. Don't get me wrong, I'm really pleased about what you've done so far. Thank you!

Deleting the key's line from known_hosts is also bad thing, for two reasons:
1. you cannot force ssh client to accept a new key for a certain host ("echo yes|ssh..." does not work), you have to disable strict key checking as a whole
2. if you accept new keys automatically, you'll lost security and authorization, the point of using an ssl channel.

So I'm still sure the best solution for all is to have a way to keep host's identity over reset.

baldaszti · Tue Aug 30, 2011 12:12 pm

Dear normis,

What can you tell about keeping the host key? I searched the forum and found this:
http://forum.mikrotik.com/viewtopic.php?f=2&t=50691
According to this, this bug was already reported on April 3th 2011, and it was fixed in 5.1. So this really should work, isn't?

My boss is getting inpatient, sooner or later they will throw out routerboards and buy different equipment if I cannot find a solution. Which is bad for you, in this case we will never ever buy your products again. You have to understand it's more than a month passed, and I have still nothing to show up, the management system loose the device after uploading a configuration to it.

Waiting for your answer,
Baldaszti

Tue Aug 30, 2011 12:19 pm

How does it disturb you exactly, that the keys have to be regenerated? What is the problematic part?

baldaszti · Tue Aug 30, 2011 2:33 pm

What's the problematic part? I cannot connect to device via ssh!
I thought we've went through that before. Ssh gives "identification of host changed" error and refuses to connect.

Tue Aug 30, 2011 2:42 pm

For that you have several options:

1. update host table with "ssh-keygen -R hostname"

2. update host file manually located in home folder "~/.ssh/known_hosts"

3. disable host key checking. In ssh config file add
Host *
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null

baldaszti · Tue Aug 30, 2011 5:35 pm

Dear mrz,

please read the FULL topic to know why are your suggestions bad. We've already discussed them, always changing host key is NOT a solution, since it makes authentication impossible.

What about focusing on my request (do not overwrite a few files when resetting with "keep-users=yes" given), instead of convincing me that it cannot be done...?

dtoffo · Wed Aug 31, 2011 5:05 pm

Dear baldaszti,
Maybe I missed something in the discussion (forgive me...) o I am asking something obvious, but why you have to reconfigure the whole router so soon? I really can't understand.
I configure the ones I manage and make little changes from time to time, and at every change with a script I export my configuration to my repository.
In the central management I think is important to have the current configuration to rebuild the router in case of big problems, but makes no sense to continuously reconfigure the router.
In any case if they are 10 or more different routers you MUST edit the configurations to align them... so why not editing the router and exporting the last, "current" configuration? That will be sufficient to configure from scratch a new routerboard in case of "disaster recovery" and send that for substitution, but I can't figure out a case with routeros responding you and you need to factory reset and reconfigure.

By the way, I think that a tool (on the routeros or offline) that can automagically compare exports and suggest alignment commands could be appreciated by everyone and maybe can resolve your problem, baldaszti

baldaszti · Wed Aug 31, 2011 6:03 pm

Dear baldaszti,
Maybe I missed something in the discussion (forgive me...) o I am asking something obvious, but why you have to reconfigure the whole router so soon? I really can't understand.

It's not so soon. The time is irrelevant, the point is, if we need to upload the configuration from the central management sever, we can do it once, and never again. The reset is necessary because the /export command generates such clis that it gives error on /import (it's about using "set" and "add"). It can be loaded only if the device has empty config (that's fine, many company use this method). And we cannot use any tool that compares and generate clis, it's a question of responsibility (we have to send the commands unchanged to the device, so if an error occurs, it's the administrator's fault, not some program bug).

dtoffo · Thu Sep 01, 2011 9:43 am

I don't use backup - restore, but maybe fits your needs better than export and import.
Can any expert confirm?

baldaszti · Thu Sep 08, 2011 11:36 am

Unfortunately backup uses binary files, which cannot be interpreted by the auditor, so it's not an option

I would like to have an official answer from the developers whether keeping host key is possible (didn't got answer yet). If the answer is no, I'm afraid no other option left than RMA, and buy routers from the concurrence

baldaszti · Mon Sep 12, 2011 3:45 pm

Still waiting for the answer...

siscom · Mon Sep 12, 2011 10:10 pm

Dear baldaszti,
Maybe I missed something in the discussion (forgive me...) o I am asking something obvious, but why you have to reconfigure the whole router so soon? I really can't understand.
It's not so soon. The time is irrelevant, the point is, if we need to upload the configuration from the central management sever, we can do it once, and never again. The reset is necessary because the /export command generates such clis that it gives error on /import (it's about using "set" and "add"). It can be loaded only if the device has empty config (that's fine, many company use this method). And we cannot use any tool that compares and generate clis, it's a question of responsibility (we have to send the commands unchanged to the device, so if an error occurs, it's the administrator's fault, not some program bug).

I've used Milliscript for processing export files and never had a problem. Have you seen the latest version - http://wiki.mikrotik.com/wiki/Milliscript ?

It's a godsend!

Rgds,
Mark.

baldaszti · Tue Sep 13, 2011 4:01 pm

I've used Milliscript for processing export files and never had a problem. Have you seen the latest version - http://wiki.mikrotik.com/wiki/Milliscript ?

It's a godsend!

Rgds,
Mark.

Thanks for the tip, it's really a great tool indeed, but it does not solve my problem. I cannot use third party tool to modify the configuration (question of responsibility), as I wrote before.

janisk · Wed Sep 14, 2011 12:30 pm

if you are that concerned about security you should know that keeping those keys is insecure when router is completely reconfigured.

Chupaka · Wed Sep 14, 2011 5:53 pm

if you are that concerned about security you should know that keeping those keys is insecure when router is completely reconfigured.

then let him a way to load reference config to working router

baldaszti · Wed Sep 21, 2011 10:30 am

Dear Mikrotik,

Two months passed, the 5.7 is out, and host key still regenerating.
You did not manage to put a simple "if()" in your code within 2 months. This means your RouterOS is the only software in our arsenal that cannot save it's configuration in cli format and load it back again, so management decided to throw all of them out. Congratulations! I'm pretty sure you'll have no further orders from my government (the owner of our company).

Don't tell me you didn't had the chance. Sic transit gloria mundi!

Wed Sep 21, 2011 11:36 am

Dear Mikrotik,

Two months passed, the 5.7 is out, and host key still regenerating.
You did not manage to put a simple "if()" in your code within 2 months. This means your RouterOS is the only software in our arsenal that cannot save it's configuration in cli format and load it back again, so management decided to throw all of them out. Congratulations! I'm pretty sure you'll have no further orders from my government (the owner of our company).

Don't tell me you didn't had the chance. Sic transit gloria mundi!

I'm sorry but during all this time, you couldn't clearly explain things that you needed, and why. We added some new functionality, but apparently it wasn't enough.

baldaszti · Wed Sep 21, 2011 4:30 pm

I did, several times. As a matter of fact, others wanted it too.

What? A way to keep host key after loading entire config with run-after-reset
Why? Because always changing key is useless for authentication, and without clearing config /import fails

If this is not good enough for you, I cannot help. It is trivial for all (including all of your concurrence) except you that saving and restoring full configuration in cli format is a must.

Thu Sep 22, 2011 10:40 am

Thank you, it's clear now. We will make it in one of the upcoming versions.

pedja · Thu Sep 22, 2011 10:47 am

It was clear from the begining of this topic.

I am actually glad Mirkotik lost such a big buyer. I hope that would be educative and provide beter attitude toward users.

Thu Sep 22, 2011 10:53 am

I'm sorry but it wasn't clear. The original request said "SSH keys" and we made this:

*) system reset-configuration - if keep-users is specified ssh user keys are
preserved as well;

pdubois · Fri May 08, 2015 4:07 pm

Hello All,

I'm currently implementing an automated configuration and testing environment for mikrotik devices and would really like to preserve the device's SSH keys through a '/system reset-configuration' command as well.

Has this feature actually been implemented? I can't find it either via documentation or via exploring the obvious functions on my device.

I originally thought one could submit a predetermined ssh key via rsc file but can't seem to find information on that either. Any ideas?

Who is online