Community discussions

MikroTik App
 
w0lt
Long time Member
Long time Member
Topic Author
Posts: 537
Joined: Wed Apr 02, 2008 2:12 pm
Location: Minnesota USA

RouterOS 6.30rc17

Thu Jun 11, 2015 4:54 pm

As with RouterOS 6.30rc13, the current beta release 6.30rc17 (SMIPS) does not have a wireless driver in the "All Architectures" zip package.

-tp
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2394
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 9:23 am

 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 9:48 am

yes
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 3:00 pm

*) ssh - added option '/ip ssh stong-crypto'
I suppose this should read strong-crypto, no? What exactly does this change?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 3:19 pm

*) ssh - added option '/ip ssh stong-crypto'
I suppose this should read strong-crypto, no? What exactly does this change?

it makes SSH connections more secure. SHA256 instead of SHA1 and MD5 is kicked out, longer DH, cipher-less connections are not allowed (one where you set cihpers=none) and stronger ciphers are preferred by the ssh server.

makes your SSH connection to the router slower :) due to better encryption. As most users do not require this (like managing routers from local area network) then old settings are deemed to have adequate security. Those that require higher security now can have it.

p.s. it is called '/ ip ssh strong-crypto' there is a typo in the changelog.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 3:24 pm

*) ssh - added option '/ip ssh stong-crypto'
I suppose this should read strong-crypto, no? What exactly does this change?
it makes SSH connections more secure. SHA256 instead of SHA1 and MD5 is kicked out, longer DH, cipher-less connections are not allowed (one where you set cihpers=none) and stronger ciphers are preferred by the ssh server.

makes your SSH connection to the router slower :) and slower due to better encryption. As most users do not require this (like managing routers from local area network) then old settings are deemed to have adequate security. Those that require higher security now can have an option to have it.

p.s. yes it is called '/ ip ssh strong-crypto' there is a type in the changelog.
Ah, really nice! Thanks! :D

Looks like this still does not bring suppport for RSA (or even ed25519), though.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 3:43 pm

RSA and for that matter ed25519 is not just a matter of flip-a-switch to enable them. We have to actually implement it. RSA currently is accepted as a feature request. Is not of a high priority.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Wed Jul 01, 2015 9:10 am

RSA and for that matter ed25519 is not just a matter of flip-a-switch to enable them. We have to actually implement it. RSA currently is accepted as a feature request. Is not of a high priority.
Just a quick heads-up on this topic. OpenSSH 6.9 has been released. The announcement lists some features that will be run-time disabled by default with the release of OpenSSH 7.0 in July:
* Support for ssh-dss, ssh-dss-cert-* host and user keys will be run-time disabled by default.
You will still be able to enable it, but the default configuration will fail with RouterOS devices.
 
rpr
just joined
Posts: 17
Joined: Mon Oct 24, 2011 4:47 pm

Re: RouterOS 6.30rc17

Fri Jul 10, 2015 8:08 pm

p.s. it is called '/ ip ssh strong-crypto' there is a typo in the changelog.
On v. 6.30 I've tried to run that command but it gives an error:
> /ip ssh strong-crypto
bad command name strong-crypto (line 1 column 9)
I have the following packages enabled: advanced-tools, routeros-mipsbe, routing, security, system.
What could be the problem?

-- rpr.
 
User avatar
grusu
Member Candidate
Member Candidate
Posts: 129
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: RouterOS 6.30rc17

Sat Jul 11, 2015 12:17 am

/ip ssh set strong-crypto
 
rpr
just joined
Posts: 17
Joined: Mon Oct 24, 2011 4:47 pm

Re: RouterOS 6.30rc17

Sun Jul 12, 2015 12:54 am

I'm still getting an error:
> /system identity export
# jul/11/2015 23:49:35 by RouterOS 6.30
# software id = JLR6-SIQJ
#
/system identity
set name=gw.example.com

> /ip ssh set ?
Change properties of one or several items.

always-allow-password-login -- allow password login when public key authorization is configured
forwarding-enabled -- allows clients to connect to remote ports from server
strong-crypto -- use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones


> /ip ssh set strong-crypto
expected end of command (line 1 column 13)
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Mon Jul 20, 2015 9:51 am

RSA and for that matter ed25519 is not just a matter of flip-a-switch to enable them. We have to actually implement it. RSA currently is accepted as a feature request. Is not of a high priority.
Just a quick heads-up on this topic. OpenSSH 6.9 has been released. The announcement lists some features that will be run-time disabled by default with the release of OpenSSH 7.0 in July:
* Support for ssh-dss, ssh-dss-cert-* host and user keys will be run-time disabled by default.
You will still be able to enable it, but the default configuration will fail with RouterOS devices.
Changes have been committed to git. Current development version can not connect to RouterOS devices:
% git describe
V_6_9_P1-32-gd56fd18
% ./ssh host
ssh_dispatch_run_fatal: Connection to XX.XX.XX.XX: no matching host key type found
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Thu Jul 30, 2015 1:49 pm

Starting with RouterOS 6.31rc10 we have support for RSA keys! Thanks a lot Mikrotik!

Who is online

Users browsing this forum: GoogleOther [Bot], jaclaz, sebus46 and 95 guests