I’ve recently decided to set up DSA-based logins on one of my test routers to see if I can automate a few maintenance tasks. However, after generating the key on my *nix box, uploading the public key, and associating it with a new user account, I can still log on through the associated account from any machine - even if it doesn’t have my private key. It seems that the router is simply ignoring the SSH key information and allowing the user to be logged in as long as a proper password is specified.
Well, I got around my problem by using SNMP-write queries. Not my preferred method of doing this, but the lack of response forced me to find another solution. Any thoughts on the matter are still welcome, however.
with RouterOS the dsa key does not replace password auth, its just another method of authenticating. You should setup some hairy password on that one if you don’t plan on using it for password authentication. I believe you can even disable the account and it still lets you in using dsa keys.
This is what I do as well . It’s so much security, I don’t even know the password! I used some password generator site online to give me a nice long password.
I did run into problems when the password was over 31 characters for some reason on ROS 3.15 (not sure about other versions).
. It’s so much security, I don’t even know the password! I used some password generator site online to give me a nice long password.