I have a Mikrotik device and I try to connect to it via SSH.
I noticed that the SSH software in my PC warns me regarding the connection and it shows me a different fingerprint when the IP address changes.
The IP address in all cases was a Local IP address (not WAN).
Regardless, I am very much certain that I had a successful connection with my Mikrotik device (and nothing like a MiTM issue).
For example, when the IP address was “192.168.0.5” then SSH software showed a specific fingerprint (ain’t really sure what it was).
Then the IP address was “10.x.y.z” then SSH software showed a different fingerprint - it was different than the fingerprint which I found using the method detailed below - this is the main issue.
Is that normal?
What is the process to verify the fingerprint?
The following is the process which I did to install the SSH public key into the Mikrotik device:
I connected directly to the Mikrotik device using a short Ethernet cable.
Nothing else was connected to the Mikrotik device.
I created a key-pair using the command:
$ ssh-keygen -t rsa
I uploaded the public key (from the above keypair) to the Mikrotik device using HTTP webfig interface.
I imported the public key to SSH using a Mikrotik command like the following:
(Specific values may vary, like value for flag “public-key-file”.)
The following is the process which I did to verify SSH fingerprint:
Using the public key file from the SSH RSA keypair which was created in the above process, I executed:
What exactly is the warning you get? Your ssh software is probably warning you about your HOST key either changing or being new, not the USER rsa key. Why is the IP address changing? If you did a complete reinstall the host key will regenerate, but it shouldn’t if you just change an IP address.
Unfortunately, I didn’t save the warning.
I wrote the thread from my memory.
I already entered “yes” to trust the “new” host/key.
Probably.. though also the host key shouldn’t be new.
IP address changed due to initial setup of the device.
I tested the device in various configurations/networks which are internal (i.e. LAN IP addresses).
I did an upgrade of the RouterOS packages - could that affect the SSH keys?
I don’t understand how the host key will regenerate if I created the RSA keypair myself (only once) and uploaded & imported the RSA public key to the Mikrotik device - I did that only once with a single public RSA key.
The important thing to note here is that the router itself creates a host key when you install or initialize the routeros. Your ssh client will check the fingerprint of this host key when it connects. If it is the first time you’ve connected this particular IP address, the client will ask if you want to accept the (new to it) host key. If the host key changed for an address you have connected to before I assume it will ask if the change is OK.
The host key is completely separate from the RSA SSH user key you generated. This user key is used for the user authorization and authentication phase after your client has made the basic connection to your router (when it checked the host key).
Indeed I understand now.
I recall now that RSA is an asymmetrical encryption method so it makes sense that the Mikrotik device has its own RSA keypair which potentially could change.
So, my own RSA keypair aren’t really a factor in this.
Knowing the above:
In the scenario where the Mikrotik device is far from me (and MiTM is technically possible) - How do I make sure that the fingerprint of the RSA key of the Mikrotik device is valid ?
Thats a harder question to answer than you would think, mostly because it comes down to the meaning of “trust”.
If you yourself dont have the router in your possession at any point you are going to have to trust some one. Have someone you trust at the router location connect to it and tell you in a way that you trust what the fingerprint they got was. Or you could send them a cert that you make and have the finger print for and have them install it and trust its in the correct router. Or have them export the certificate and send it to you in a trusted way and take the fingerprint yourself.
Most people end up trusting the fingerprint you get with the first connection, then if it changes they get suspicious. If you are a very special person that some large org or government wants to trick this is probably not a great way to do it and you should probably pay a crypto expert to advise you.