How do I check Mikrotik’s SSH keys fingerprint in the RouterOS CLI?
would also like to know, as atm i have SSH warning when connecting to mikrotiks, which i updated to 6.42.7.
“WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!”.
But cannot really find it, and also google is not helpful so far.
I even tried to regenerate new one on MK, but it also doens’t print out fingerprint.
Probably i would have to export them and calculate fingerprint…
Would be really great if fingerprint of internal ssh key is viewable.
So far in the last 10 years using Mikrotiks I’ve always been positive about which device I was connecting to. Therefore I’ve never bothered to check the fingerprint. Today for the first time I’m going through another company’s network rather than our own and I’m not 100% sure if I’m reaching our device or one of their’s. After checking for the last 25 minutes every possible menu option I’ve been unable to view the fingerprint. Short of exporting and downloading over a different connection, is there any other way to view the fingerprint to compare it to the one the terminal is throwing upon connection? Device is in a remote location and I’m not loving the idea of downloading the keys…
I wasn’t able to find it either and I guess this would also help the security a lot, so I am voting for an option to print out the fingerprint of the current host key
thanks
you should ALWAYS check the fingerprint of the host before logging in via ssh, you never know if there is currently a MITM attack going on. after the first login, your ssh-client can do the fingerprint check automatically and warn you if it ever changes (if it changes, somethig suspicious is going on).
i don’t know about the security mechanisms in Winbox itself. probably it’s best if you connect only your Winbox-Machine and your Router, disconnect all other network interfaces
So this is how i did it
Winbox->New Terminal
/ip ssh set strong-crypto=yes
/ip ssh export-host-key
use key-file-prefix: test
Winbox->Files
download the test_rsa.pub to your Desktop (like C:\Users\test-user\Desktop)
then delete the test_* files (test_dsa, test_dsa.pub, test_rsa, test_rsa.pub)
Debian on Windows
apt-get install openssh-client
ssh-keygen -f /mnt/c/Users/test-user/Desktop/test_rsa.pub -i -m PKCS8 | ssh-keygen -l -f - -E md5
first ssh-keygen command converts the test_rsa.pub to PKCS8-Format which we pipe to ssh-keygen to show us the fingerprint.
i used Debian on Windows (https://wiki.debian.org/InstallingDebianOn/Microsoft/Windows/SubsystemForLinux) you could also copy the file to a real debian or another linux (probably there is also some ssh-keygen version for windows available - however, i use debian on windows).
then you’ll get the MD5 style fingerprint which you use to verify that your putty really connects to the wanted ssh host.