dsa keyed SSH

Freman · March 16, 2006, 12:04am

G’day folks

First of all, I’d like to say thank you! for putting in this feature…

Now, just a little suggestion (not a nag or anything)

But wouldn’t it rock (translation: be great) if you could retrieve the pub key from a radius server? then I wouldn’t have to go manually configure my dsa key on 50 routers (c:

Just a thought.

Cheers

Shannon

mag · March 18, 2006, 10:07am

how to use SSH DSA keys? i can’t find any documentation?
under "/user ssh-keys " is nothing and there is no .ssh/ in file. so how is it meant to be used?

eflanery · March 18, 2006, 5:49pm

Generate a pair of DSA keys elsewhere (I am using OpenSSH’s ssh-keygen), then copy the public key file to your MT(s). Import the public key file, and tie it to a username (part of the import command).

From that point on, when you SSH/SCP/SFTP to the router using that username, you can use DSA authentication with the private key you generated, rather than needing to use password authentication.

–Eric

eflanery · March 18, 2006, 5:52pm

Oh, and as for the OPs point, getting the public key from Radius would be great, and I wouldn’t think it would be all that hard to add.

How about it MT guys?

–Eric

changeip · March 18, 2006, 5:54pm

Spent a few mins and put up a wiki on the DSA stuff.

http://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login)

mag · March 18, 2006, 6:08pm

this is really good. thanks to changeip!

just a comment, with Mac OS X 10.4 it becomes even simplier, because the -i parameter defaults to the right file. i prefer the ‘@’ ssh notation, one can e.g. just type:

ssh admin@192.168.1.1 “/interface print”

and gets

Flags: X - disabled, D - dynamic, R - running

NAME TYPE RX-RATE TX-RATE MTU

0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R wlan1 wlan 0 0 1500
3 R lan bridge 0 0 1500

cool!

cmit · March 20, 2006, 12:34pm

OK, tried that feature back some weeks ago when I first stumbled upon it. It just won’t import my PuTTYgen-generated DSA-keys. Anybody succeeded with that?

Example key:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAACBALKgLFhnrWSe0zRXrGKg0Zfvj6sSNusNnIpxnokDyHAN
ccVZELtmNB+FNPtUVu0EI7KBONtO07oAF3D75CJoNPLHbE+bXYgVE+Lb/xWKj3UM
Mv5JTBZYlBHyhqixqPU7PNDLzdzX9nGbnyDMYKWGJLuIWrdrPadL42CdoGAQBwU5
AAAAFQD/+KF5AuQOH0/o9CqOlt5OoqcVwwAAAIAyJMfvEUqxY2njPZU7q9RkklR3
iXjk9cjaZYrw7HX2R/zWeMoprTuKKeDBS9TSPtBqIKQCABWI3SpRsdusLXpJrITL
Z6ADGLWziXVXabJiczntM92p0t5WuVq7TT9Ho+Z96mRqW+wxesPzzZen4Qa2gO8+
yJa9ZfNFXedl19xmEwAAAIAs4Ha3irU9qwNZlAxWjtekay4vFT9f0qnQmLuneKoZ
OMhmOc42rMZHC6cNlCPbQWlE7RO2w5AfO72WxXALyc2FT4UuRFhMcz8GfWul7HuW
Qam3GK5wXNRvByZnWYL+s+/4yaWed8c+Dnn6ydsTy5OONMKTL3ghsseGQ5wRreHO
KQ==
---- END SSH2 PUBLIC KEY ----

Best regards,
Christian Meis

changeip · March 20, 2006, 4:44pm

You try exporting it is a OpenSSH key using their menus ? I will try in a few and see if I can make those work too.

Thx,
Sam

ldvaden · September 25, 2006, 12:04am

Thanks for the article at <http://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login)>.

However, I’ve stumbled across these (my) cockpit errors:

‘ssh-keygen -t dsa’ on FC5 doesn’t produce an importable key for RouterOS 2.9.30.
if you ‘man ssh-keygen’ on FC5, it says DSA keys must be 1024 bits in length, but setting -b 1024 doesn’t produce a key ROS 2.9.30 will import.
'ssh-keygen -t dsa" on FreeBSD 4.8-RELEASE-p23 also doesn’t produce an importable key.

What is the command line and OS that generates a key acceptable to ROS 2.9.30?

Thanks in advance for your response(s).

rgds/ldv

changeip · September 25, 2006, 2:11am

What filenames do you end up with on your generated keys? a .dsa and a .pub ? Which are you importing to MT ?

Sam

ldvaden · September 25, 2006, 2:27am

ftp> put id_dsa_mikrotik.pub

Below the sig is the transcript.

This is FC5.

Embarrass me!

rgds/ldv

[vaden@skopje .ssh2]$ ssh-keygen -t dsa -b 1024
Generating 1024-bit dsa key pair
27 o.oOo..oOo.o
Key generated.
1024-bit dsa, vaden@skopje.texoma.net, Sun Sep 24 2006 21:24:11 -0500
Passphrase :
Again :
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended.
Don’t do this unless you know what you’re doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without
the deciphering effort.
Private key saved to /home/vaden/.ssh2/id_dsa_1024_a
Public key saved to /home/vaden/.ssh2/id_dsa_1024_a.pub
[vaden@skopje .ssh2]$ ls -al
total 64
drwx------ 3 vaden vaden 4096 Sep 24 21:24 .
drwx------ 34 vaden vaden 4096 Sep 24 18:45 ..
drwx------ 2 vaden vaden 4096 Aug 11 20:23 hostkeys
-rw------- 1 vaden vaden 880 Sep 24 21:24 id_dsa_1024_a
-rw-r–r-- 1 vaden vaden 749 Sep 24 21:24 id_dsa_1024_a.pub
-rw------- 1 vaden vaden 1550 Aug 9 05:44 id_rsa_2048_a
-rw-r–r-- 1 vaden vaden 538 Aug 9 05:44 id_rsa_2048_a.pub
-rw------- 1 vaden vaden 512 Sep 24 21:24 random_seed
[vaden@skopje .ssh2]$ ftp mosel.texoma.net
Connected to mosel.texoma.net.
220 mosel FTP server (MikroTik 2.9.30) ready
500 ‘AUTH’: command not understood
500 ‘AUTH’: command not understood
KERBEROS_V4 rejected as an authentication type
Name (mosel.texoma.net:vaden): vaden
331 Password required for vaden
Password:
230 User vaden logged in
Remote system type is UNIX.
ftp> put id_dsa_1024_a.pub
local: id_dsa_1024_a.pub remote: id_dsa_1024_a.pub
227 Entering Passive Mode (209,151,96,139,128,51).
150 Opening ASCII mode data connection for ‘/id_dsa_1024_a.pub’
226 ASCII transfer complete
763 bytes sent in 9.3e-05 seconds (8e+03 Kbytes/s)
ftp> quit
221 Closing
[vaden@skopje .ssh2]$

changeip · September 25, 2006, 2:52am

do you get an error when trying to import, or is it just not showing in the import list ?

Sam

ldvaden · September 25, 2006, 4:37am

Sam,

“Couldn’t perform action – import failed (only DSA public keys supported)(6)”

rgds/ldv

changeip · September 25, 2006, 5:48am

weird … i just ran thru it again and here is the output of the working one (2.9.30):

%ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/snorris/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/snorris/.ssh/id_dsa.
Your public key has been saved in /home/snorris/.ssh/id_dsa.pub.
The key fingerprint is:
a1:43:7c:91:eb:26:11:1a:8b:85:a6:57:a6:xx:xx:xx snorris@vpxx6.changeip.com

%cat id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAIQ85I9Fzy9Gxz6Xls3WwUfHEiNoV4F76bwozxYXa9GljYZloh78
HlHDcS7MFA0hnHBEe9xhrt98eEmRS/JDY32i9MXDb/oDg9a+okjX4NL3wkCwunV6/q361qbuVQSK7+E+
mmLZoAExlPwoWxao4h3dw2QEql+fL1KhUNOkt6NNAAAAFQC7NYPP1apr0y8Eo3eDN1ZzKHyATQAAAIBN
V0lYkDav/EG5zY5KEqJA2RH8gnyacDOXocj5oqV/1JDjyjHZHc6c+zNPJZvTn8xF9E2PrVkFEhRZIfWZ
7JvXf68yM/NTEYfMkPil2WMucw45s9vKJUIqMpj7ZRw0oOGdzhHKsa1s31Z4CR08ENLILENJ/uih9l+5
mw/nZQl2eAAAAIAhJg68yR6gyuTrvbDV7XXyGbgpSTHm4DVbCW1V+c4KJRKrKjfFWKUZAeHkdftLoTfR
vIbdmPRLfLJrXNmvf6uytBa5iF6402Prnq0EqbkcdotUxJMY413aSI13B2ZhKdik2H/XjVG8askkh5Hm
dzEYzB12O7qLZ0Ja3NORiurbQA== snorris@vpxxx6.changeip.com

%ftp xx.xx.x.1
Connected to xx.xx.x.1.
220 cip FTP server (MikroTik 2.9.30) ready
Name (xx.xx.x.1:xxxxx): xxxx
331 Password required for xxxx
Password:
230 User xxxx logged in
Remote system type is UNIX.
ftp> binary
200 Type set to I
ftp> put id_dsa.pub
local: id_dsa.pub remote: id_dsa.pub
227 Entering Passive Mode (xx,xx,x,1,128,24).
150 Opening BINARY mode data connection for '/id_dsa.pub'
100% |**************************************************|   614       00:00 ETA
226 BINARY transfer complete
614 bytes sent in 0.00 seconds (488.68 KB/s)
ftp> quit
221 Closing

%ssh xxxx@xx.xx.x.1
xxxx@xx.xx.x.1's password:

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 2.9.30 (c) 1999-2006       http://www.mikrotik.com/

Hello, and welcome to MikroHome!
Terminal xterm detected, using multiline input mode
[xxxx@cip-office] > /user
[xxxx@cip-office] user> ssh-keys import file=id_dsa.pub
user: xxxx-ssh
[xxxx@cip-office] user>

This worked fine. Does your pub key look similiar format? If so, take a supout and send the pub key in a support ticket.
Sam

Beccara · September 25, 2006, 6:14am

Pro Tip: Dont paste full SSH keys in here

changeip · September 25, 2006, 6:26am

That was a dummy key generated for this example. It is also the public key, which can be public right? The private key (id_dsa) resides on the client initiating the conversation and should always be kept private.

Sam

ldvaden · September 26, 2006, 3:07am

If I believed in the support fairy, I probably would :slight_smile:

However, ‘ssh-keygen -t dsa’ and import with ROS 2.9.30 didn’t work using the aforementioned releases of FreeBSD and Fedora, but a key generated just as you suggest using Centos 4.3 will import using WinBox.

Therefore, perhaps ROS 2.9.30 doesn’t seem to support keys generated by FC5 (openssh.i386 4.3p2-4 installed).

There may be a switch setting or something else I missed.

FC5 also wants the permissions on the keys set to 600 whereas Centos 4.3 will run with the keys as generated with permission of 640 on id_dsa.pub.

YMMV. Mine wasn’t very high

THANKS for a great wiki article and for contributing to the MikroTIk community.

rgds/ldv

what did work:

[vaden@catch22 .ssh]$ cat /etc/redhat-release
CentOS release 4.3 (Final)
[vaden@catch22 .ssh]$ sudo yum whatprovides ssh-keygen

openssh.x86_64 3.9p1-8.RHEL4.12 installed

Eugene · September 26, 2006, 9:04am

Works on debian/unstable and ubuntu dapper.

ldvaden · September 26, 2006, 12:49pm

What versions of openssh are on those systems?

thnx/rgds/ldv

Eugene · September 26, 2006, 1:23pm

OpenSSH_4.2p1 Debian-7ubuntu3