Solved.
http://forum.mikrotik.com/t/send-pubkey-test-no-mutual-signature-algorithm/157739/4
cat ~/.ssh/config
Match host 192.168.88.1
PubkeyAcceptedAlgorithms +ssh-rsa
Now it works.
And no -m PEM is needed on OpenBSD, even though http://man.openbsd.org/ssh-keygen#m says:
By default OpenSSH will write newly-generated private keys in its own format
Warning: If ssh-keygen generates key in openssh format, then add “-m pem” to generate key in PEM format, otherwise you will not be able to import it in ROS!
They may have meant public key, not private one, but they don’t clarify it.
@mkx thanks for your reply and clarifying disabled password access when key has been added. Even though ssh with -v still says:
debug1: Authentications that can continue: publickey,password
Confusing, IMHO
In some projects, devs and maintainers monitor project forum and fix the code and docs when issues arise. Do MikroTik devs do so?
The solution was posted almost 2 months ago http://forum.mikrotik.com/t/send-pubkey-test-no-mutual-signature-algorithm/157739/4 with no impact on the docs.
I have filed a ticket to the support asking to add
PubkeyAcceptedAlgorithms +ssh-rsa
to the Wiki (and https://help.mikrotik.com/docs/display/ROS/SSH).