Hello Mikrotik,
I’ve been trying to run scripts on Mikrotik in a secure manner (See my post here).
What I mean by secure manner is: Allow any anonymous/very low permissioned user to run a script that could do higher level things like reboot/modify config.
This is analogous to how CGI/PHP scripts are executed on a webserver where anonyomous users can request script execution and a higher level process will execute it and return results.
The issue is I’m trying solve is establish trust boundaries where Mikrotik should not have to trust an external server/NIX box by giving SSH access with read/write permissions. Mikrotik should be a self contained secure unit - this reduces the number of different places we need to worry about security.
In the post above , use of SNMP was suggested. While this seems possible, we get into similar types of security holes:
- We have to enable SNMP write access to the internet. This is very hard to manage.
- Today OIDs that allow write are limited so we may black list them however, in future versions if new OIDs are added with write, then we have a hole.
- A possible way could be whitelisted OIDs for SNMP write.
Could you please comment on the above possibilities?