Importing private SSH keys fails

jojoHa · August 10, 2019, 1:20pm

Hi,

I want to connect to a linux (debian) server to run a command there. The connection has to be initiated in a script on the Mikrotik (RouterOS v6.45.1) router. Thus, I need ssh-exec and have to use keys to ssh into the server. As far as I understood, I need to generate private and public keys on my destination host and import them (or only the private one?) to the client (Mikrotik) where I want to initiate the connection from. However, I can’t import the keys in the first place. I have enabled strong-crypto using

/ip ssh set strong-crypto=yes

And for the keys:

user@server:~/.ssh$ ssh-keygen -t rsa -f server

For the passphrase I just hit enter. Then, I appended the key to the locally authorized:

user@server:~/.ssh$ cat server.pub >> authorized_keys

and copied the files to the router:

user@server:~/.ssh$ scp server* admin@router:/flash/

Then, I sshed into the router and tried to import the keys:

user@server:~/.ssh$ ssh admin@router
[admin@router] > /user ssh-keys private import user="admin" public-key-file=flash/server.pub private-key-file=flash/server passphrase=""
unable to load key file (incorrect passphrase?)!

Using

/flash/

instead of

flash/

results in

input does not match any value of private-key-file

.

The server-file has the format

-----BEGIN OPENSSH PRIVATE KEY-----
key....
-----END OPENSSH PRIVATE KEY-----

and the server.pub looks like

ssh-rsa AAA......hd6 user@server

.

What am I doing wrong? I also tried to leave out the passphrase and just hit enter when asked on import. Also generating keys with a passphrase and entering it does not work. I also tried to generate the keys with puttygen, this gives me a (wrong format) error. I also modified the keys according to http://forum.mikrotik.com/t/rsa-key-support-in-ssh/44190/1 But with the same results.

Can someone tell me the steps to properly import the keys? Am I on the right path, anyway? Because according to http://www.linuxproblem.org/art_9.html, it seems like I’m interchanging the roles of router (A) and server (B). However, following https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login)#RouterOS_to_RouterOS is my approach above, isn’t? basically, it’s like in http://forum.mikrotik.com/t/ssh-mikrotik-to-mikrotik/114950/1 but from RouterOS to host, not RouterOS to RouterOS.

Thanks a lot
Johannes

PS: When I add the server.pub in System → Users-> SSH keys, I can login from the server to the router without a password by

user@server:~/.ssh$ ssh -i server admin@router

. But I need it the other way round.

eworm · August 11, 2019, 9:55pm

Try to generate your key in PEM format:

ssh-keygen -t rsa -m PEM ..

dougunder · August 13, 2019, 6:58pm

We do it like this:

:global SUPPORTPUB “ssh-rsa RSAkeygoeshere support@mycompany.net”;
:global SECCFG do={
:global SUPPORTPUB;
/file {print file=supportpub.txt; :delay 2; set supportpub.txt contents=$SUPPORTPUB};
/user {
remove [find name=YOURNAME];
add name=YOURNAME password='YOURPASSWORD" group=full;
ssh-keys import public-key-file=supportpub.txt user=YOURNAME
};
/file remove [find name=supportpub.txt];
/ip {
ssh set strong-crypto=yes;
service {
set ssh port=YOURPORT;
set [find name!=“ssh”] disabled=yes
}
}
};
$SECCFG;
/system script environment remove [find name~“”]

eworm · August 14, 2019, 7:50pm

That does not help. This topic is about private ssh keys.

davewilliamson · August 16, 2019, 12:10pm

I’m having exactly the same problem importing private keys for SSH

ssh-keygen -t rsa -b 2048 -f mikrotik_rsa -v -C "Mikrotik Key"
Generating public/private rsa key pair.
mikrotik_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in mikrotik_rsa.
Your public key has been saved in mikrotik_rsa.pub.
The key fingerprint is:
SHA256:4WXp/Zljv2unvg9AvZRGywNkKgB4Pq0X1dkkrMlbZEo Mikrotik Key
The key's randomart image is:
+---[RSA 2048]----+
|   ....  o.== .  |
|  . .  .E *=.= o |
|   o . +o*= . O  |
|    o o.=*.o o o |
|     o .So. o .  |
|    . . .    o o |
|     .        B  |
|             . =.|
|             .=**|
+----[SHA256]-----+

Move the public & private key to the router…

 import user=aremoteuser passphrase="" public-key-file=mikrotik
_rsa.pub private-key-file=mikrotik_rsa

unable to load key file (incorrect passphrase?) !

Trying without the passphrase=“” or without the quotes (i.e. passphrase=) gives the same response
Also the same if I add a passphrase to the cert.

Basically, there is no way to upload private keys

Using routerOS 6.34.3

Please help!

Sob · August 16, 2019, 1:32pm

Maybe try something a little less outdated? This is with 6.45.3:

[sob@CHR2] > /user ssh-keys private import user=sob private-key-file=mikrotik_rsa public-key-file=mikrotik_rsa.pub
passphrase:
[sob@CHR2] > /user ssh-keys private print
Flags: R - RSA, D - DSA
 #   USER                       BITS KEY-OWNER
 0 R sob                        2048 Mikrotik Key

jojoHa · August 16, 2019, 8:25pm

Thanks a lot eworm, generating the keys by

user@server:~/.ssh$ ssh-keygen -t rsa -m PEM -f server

did the trick!

davewilliamson · August 19, 2019, 4:03pm

Thanks jojoHa / eworm, that got the keys uploaded OK

I’m still having an issue though, and cannot get router to router communication…

Router A: ROS v6.45.2

/user ssh-keys print
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                                           
 0 R routercomms                4096 Mikrotik Key - 4096 RSA
 
 /user ssh-keys private print
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                                           
 0 R routercomms                4096 Mikrotik Key - 4096 RSA
 
 /ip ssh print
  forwarding-enabled: no
  always-allow-password-login: no
  strong-crypto: no
  allow-none-crypto: no
  host-key-size: 4096
  
/system ssh 172.18.0.1 user=routercomms                  
can't agree on KEX algorithms

Welcome back!

Router B: ROS v6.45.3

 /user ssh-keys print                                                                
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                     
 0 R routercomms                4096 Mikrotik Key - 4096 RS
 
 /user ssh-keys private print
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                     
 0 R routercomms                4096 Mikrotik Key - 4096 RSA  
 
 /ip ssh print               
  forwarding-enabled: no
  always-allow-password-login: no
  strong-crypto: no
  allow-none-crypto: no
  host-key-size: 4096

/system ssh 172.17.0.1 user=routercomms 
password:

I have tried using the the same and different pub/priv pair on both routers, I have tried 2048 & 4096 key lengths, I can SSH in with no issue using these keys from a unix SSH command, I have tried dropping back to DSA rather than RSA.

It would appear that when trying to connect the router isn’t using the private key to communicate (one way), then has the KEX issue the other way.

Any thoughts?

davewilliamson · August 20, 2019, 11:49am

Hmmm,

So I think I’ve found the issue… basically, the script ignores the user param when executing…

For the script…

[routercomms@router] /system script> print from=routercommstest
Flags: I - invalid
 0   name="routercommstest" owner="auser" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon dont-require-permissions=no last-started=aug/20/2019 13:38:45 run-count=62
     source=
       :local Status ([/system ssh-exec user=routercomms address=172.18.0.1 command=":put ([/interface ethernet monitor [find where name=ether2] once as-value]->\"status\")" as-value]->"output")
       :log info $Status

Get’s these results…

[auser@router] > /system script run routercommstest
failure: authentication failure

vs

[routercomms@router] > /system script run routercommstest
(Works as expected)

So to make scripts work on target machines, I need to be logged in as the ‘routercomms’ user to execute the script successfully, or set it up as a scheduled script, on the source router.

This is a PITA, especially when you want to protect the ‘routercomms’ account with a difficult password, and not share the private key.

eworm · August 21, 2019, 9:15pm

Note that keys are added for a specific account…

davewilliamson · August 22, 2019, 7:45am

Yeah, I get that - but why have the option to specify a user in the SSH command, if it’ll only use the keys from the executing user - it appears a pointless feature in that case.

eworm · August 26, 2019, 1:49pm

It’s the user connecting to on the remote system.

MrBonding · October 6, 2021, 1:58pm

Thanks, it did work for me too!

Only question is why is that in the Mikrotik official wiki https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login) does it say only “ssh-keygen -t rsa” and does not talk about “-m PEM”. Maybe Mikrotik can add that information to the wiki?

Thanks!

eworm · October 6, 2021, 3:33pm

… because this used to work as documented, but at some point the default format was changed by openssh.

floaty · October 18, 2022, 7:04pm

thank you very much …
bookmarked this post
… quite the hassle

aka13 · June 2, 2024, 11:59am

It’s surreal that in 2024 I have to use rsa keys and legacy key formats.
Especially seeing as how all ssh-related libraries are open-sourced.