Hi all,
I have routerboard B, that I need to ssh to via routerboard A. All user accounts are protected by SSH keys.
I am struggling to get ssh agent forwarding to work. When I log into routerboard A I can log into successfully, but when I log into routerboard B I am asked for a password, when I should log in automatically using agent forwarding.
The AllowAgentForwarding option on the sshd server makes this happen, how do I switch this on?
It is not an option.
The options are:
/ip ssh set
Change properties of one or several items.
always-allow-password-login -- allow password login when public key authorization is configured
forwarding-enabled -- allows clients to connect to remote ports from server
host-key-size -- RSA key size when host key ir regenarated
strong-crypto -- use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones
I suppose you could port forward to the second router and connect to it directly from your workstation on the non-standard port, but that may not be allowed due to management policy.
How do I get this supported by Mikrotik?
We have a strict no password policy, and the inability to forward keys make it difficult for us to enforce that policy.
use SSH ProxyCommand to set up SSH login to hosts that are behind the other SSH host.
Unfortunately port forwarding (whether using the command line or config) only allows you to jump one step past a mikrotik, and is therefore not useful in a secure environment.
Can you confirm when SSH agent forwarding will be supported?
If you don’t want to wait, VPNs, with as much crypto as SSH, are available now. I have run VPNs inside VPNs to get inside multiple layers of firewalls.
This is also important to me. Since shifting to 100% keys this has made it very, very difficult to work with some VPN-connected devices.
It allows you to use your local SSH keys instead of leaving keys without passphrases sitting on your server.
You can use your Mikrotik devices as Jumphost. Just search for this keyword for details.
Example for openssh command line client:
ssh -J Mikrotik-A Mikrotik-B
You can use a chain with more than one jumphost.
Let’s configure and test SSH forwarding using github as remote service to pull our code into the host MyBKExperience.