As in subject, everybody will sleep better if the support of Ed25519 keys will be available in ROS7 (or 6!)
agree, +1
+1 add support Ed25519.
+1 we need this!!!
OK could you please hint what do I do wrong?
[cypa@hAP.k16] > user ssh-keys import public-key-file=id_ed25519.pub
unable to load key file (wrong format?) !
[cypa@hAP.k16] > system resource print
uptime: 56m26s
version: 6.46.4 (stable)
build-time: Feb/21/2020 11:26:37
factory-software: 6.34.2
free-memory: 6.4MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 7%
free-hdd-space: 7.7MiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 115
write-sect-total: 30299
bad-blocks: 0%
architecture-name: smips
board-name: hAP lite
platform: MikroTik
[cypa@hAP.k16] >
Nothing wrong, ed25519 is not supported.
In 7.1beta2 wireguard protocol was added. It use ed25519 as one of algorithm. Maybe it possible to add ssh support of this algo too?
+1 It would be great if RouterOS support ssh Ed25519 keys
wireguard and ssh don’t necessarily share encryption libraries so support for certain key types in one of these services doesn’t mean support for same key type in the other service. However the trend in IT is to re-use things and hopefully wireguard and ssh will share encryption library … not only to provide same level of support for key types but to reduce size of install as well.
Please! I’m deploying cert based auth and this is needed.
Hi,
I’d like to use Ed25519 SSH keys, too. I do not use any other key formats anymore.
Please add it!
6.49.1 here and still no support for ed25519 keys. As I can no longer use sha-1 RSA keys, I would like to use the currently most secure format and not manage so many different keys just because a vendor refuses to update security to the best practices.
Can we get ed25519 support in v6 please??
Edit: I can’t even get ecdsa to import, sigh.
Edit 2: workaround for now is to use rsa-sha2-256, which is still not as secure as ed25519 but it’s the best that RouterOS v6 currently supports. To generate this key using openssh:
$ ssh-keygen -t rsa-sha2-256
I’m still going to be maintaining this weaker key for RouterOS only, and an ed25519 key for everything else.
I have a support/feature ticket on that topic (SUP-61929). Answer from MikroTik:
Thank you for your feedback. We will consider adding this feature in the future.
That’s better than ‘No’ I guess… So go and place your own issue…
Done, SUP-67007.
did they offer a timeline?
I only know the start of the first request and that was more than 5 years ago.
Timeline? Currently we do not know whether or not we will see this any time soon or at all.
So if you want this… Open your own issue to make Mikrotik aware of the interest.
It seems we first need support for modern signature algorithms (rsa-sha2-256/512, ssh-ed25519, ecdsa-sha2-nistp256/384/521).
With the release of OpenSSH 9.0, ssh-rsa is officially deprecated and disabled by default, which seems to be the only supported algorithm in RouterOS 6+7 (next to ssh-dss, also deprecated).
Connecting to the router using a rsa key now fails, and adding an exception to allow ssh-rsa again on every machine running openssh 9.0+ is not an option.