Is Wiki correct on "Use SSH to execute commands"?

MikroTik firmware version is 6.48.6 (long-term)
Trying to achieve passwordless access via ssh, following the 3 steps from https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login)#Host_to_RouterOS

First I tried with a dedicated user, failed, tried with default admin, failed. Here for simplicity lets talk about admin.

Issues:

• Can’t access

ssh -i ~/.ssh/to_MikroTik admin@192.168.88.1

passwordless having installed “to_MikroTik.pub” key;

• Can’t access

ssh admin@192.168.88.1

with password - “Permission denied, please try again.”. I copy password from a password manager, no typos, but ssh doesn’t let me in, whereas I can access via webfig, delete ssh key at
System → Users → SSH Keys
and then I can again

ssh admin@192.168.88.1

with password

Commands:

ssh-keygen -t rsa -m PEM -f ~/.ssh/to_MikroTik

http://man.openbsd.org/ssh-keygen says uppercase “PEM”, not lowercase “pem” as MikroTik Wiki says.
Double Enter for empty passphrase.

cd ~/.ssh/
ftp 192.168.88.1
put to_MikroTik.pub
^D
ssh admin@192.168.88.1
user ssh-keys import public-key-file=to_MikroTik.pub
^D

Wiki has it:

user: admin-ssh

it looks like a prompt is to be displayed, I get nothing like this, even with another user pre-created.

If I understand it right, I should be able to passwordlessly ssh into MikroTik with:

ssh -i ~/.ssh/to_MikroTik admin@192.168.88.1

or passwordlessly execute commands e.g. see leases with:

ssh -i ~/.ssh/to_MikroTik admin@192.168.88.1 ip dhcp-server lease print

but it doesn’t happen.
So, what is the way to make it happen?


Also, Wiki:

3) Now from either Winbox or terminal mode you need to import the key.

Why webfig isn’t mentioned?

After you import SSH key, default setting is that logins with password for that user are disabled. You can enable it (so you have both passwordless and with password) by executing

/ip ssh set always-allow-password-login=yes

I don’t know why your public key doesn’t work. I just tried (my router runs 6.49.6 but I dont think it should make any difference) by executing this sequence of commands:

ssh-keygen -t rsa -f toMikrotik
# double enter
scp toMikrotik.pub <privileged-user>@<router>:

ssh <privileged-user>@<router>
/user ssh-keys import user=<non-privileged-user> public-key-file=toMikrotik.pub
/quit

ssh -i toMikrotik <non-privileged-user>@<router>
# got logged in without typing password

I’m using debian buster which comes with openssh-client version 7.9p1 … and ssh-keygen creates public key file in format accepted by ROS without any additional maprameter (i.e. -m).
Note that I used scp to transfer the file to router instead of ftp, this might (or might not) make a change.

Solved.

http://forum.mikrotik.com/t/send-pubkey-test-no-mutual-signature-algorithm/157739/4

cat ~/.ssh/config
Match host 192.168.88.1
  PubkeyAcceptedAlgorithms +ssh-rsa

Now it works.

And no -m PEM is needed on OpenBSD, even though http://man.openbsd.org/ssh-keygen#m says:

By default OpenSSH will write newly-generated private keys in its own format

and https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login)#Host_to_RouterOS says:

Warning: If ssh-keygen generates key in openssh format, then add “-m pem” to generate key in PEM format, otherwise you will not be able to import it in ROS!

They may have meant public key, not private one, but they don’t clarify it.


@mkx thanks for your reply and clarifying disabled password access when key has been added. Even though ssh with -v still says:

debug1: Authentications that can continue: publickey,password

Confusing, IMHO


In some projects, devs and maintainers monitor project forum and fix the code and docs when issues arise. Do MikroTik devs do so?
The solution was posted almost 2 months ago http://forum.mikrotik.com/t/send-pubkey-test-no-mutual-signature-algorithm/157739/4 with no impact on the docs.
I have filed a ticket to the support asking to add

PubkeyAcceptedAlgorithms +ssh-rsa

to the Wiki (and https://help.mikrotik.com/docs/display/ROS/SSH).