RB1100AH - RouterOS 5.11 - Can't configure SSH to Router...

RouterOS General
1

Hello,

I’m trying to setup the RB 1100AH to allow SSH access, but so far, only failed at that.
Some configuration details :

[admin@NYC-MKT01] > system routerboard print
       routerboard: yes
             model: 1100AH
     serial-number: 319F010FBB0F
  current-firmware: 2.38
  upgrade-firmware: 2.38
[admin@NYC-MKT01] /system license> print
    software-id: 6TMG-ATQK
  upgradable-to: v7.x
         nlevel: 6
       features: 
[admin@NYC-MKT01] /ip service> print
Flags: X - disabled, I - invalid 
 #   NAME      PORT ADDRESS                                       CERTIFICATE  
 0   telnet      23
 1   ftp         21
 2   www         80
 3   ssh         22 0.0.0.0/0

I’ve created a user, that is part of the admin group, and the SSH is allowed for that group.
I’ve created on my Linux box a SSH key (tried with DSA and RSA), I transfered the public
part to the RB1100, and then imported it for my user.

[admin@NYC-MKT01] /ip service> /user ssh-keys print
 # USER                 KEY-OWNER                                              
 0 rol                  rol@tux.DEF

But an SSH to the RB always fails with :

    Received disconnect from 192.168.200.254: 3:

on the Linux side, and

     09:24:05 ssh,error host pub key not loaded

on the router.

I’ve google’d about that problem, and found several post related to that, but
no real answer.

Anyone could help ? Is there a key to generate locally on the RB1100 ? If so, how can I do that ?

Thanks in advance,
Best,
Paul

2

first of - use DSA key.

then - what version if RouterOS you are using. If possible, reinstall router with netinstall tool and try again.

3

Hello,

first of - use DSA key.

OK, did that again :

ssh-keygen -t dsa -f RB1100
...
ftp .. put RB1100.pub
...
telnet 192.168.200.254
[rol@NYC-MKT01] /user ssh-keys> print
 # USER                 KEY-OWNER                                              
 0 rol                  rol@tux.DEF
[rol@NYC-MKT01] /user ssh-keys> remove 0
[rol@NYC-MKT01] /user ssh-keys> print   
 # USER                 KEY-OWNER                                              
[rol@NYC-MKT01] /user ssh-keys> import public-key-file=RB1100.pub user=rol
[rol@NYC-MKT01] /user ssh-keys> print
 # USER                 KEY-OWNER                                              
 0 rol                  rol@tux.DEF

and then again :

103 [12:32] rol@tux.DEF:~/usr/src/Mikrotik> ssh -i RB1100 -l rol 192.168.200.254 
Received disconnect from 192.168.200.254: 3: 

and logs say

11:30:25 system,info ssh-key removed by rol 
11:31:12 system,info ssh-key added by rol 
11:32:23 ssh,error host pub key not loaded



then - what version if RouterOS you are using.

Stupid me, I though I mentionned it :

[rol@NYC-MKT01] /system package> print
Flags: X - disabled 
 #   NAME                    VERSION                    SCHEDULED              
 0   routeros-powerpc        5.11                                              
 1   system                  5.11                                              
 2 X ipv6                    5.11                                              
 3   routerboard             5.11                                              
 4   wireless                5.11                                              
 5   hotspot                 5.11                                              
 6   dhcp                    5.11                                              
 7   mpls                    5.11                                              
 8   routing                 5.11                                              
 9   ppp                     5.11                                              
10   security                5.11                                              
11   advanced-tools          5.11

It was 5.9 this morning, same problem, so I upgraded using the “FTP procedure” on the web site.

Paul

4

please create and send us debug log (possibly from client and from router) and supout.rif to support.

5

I’m getting exactly the same issues as here - was there any resolution to this?

Thanks

Chris

EDIT: This is on a brand new 1100AHx2, newly installed, upgraded to 5.11, then configured

6

reinstall using Netinstall. try to remember how you got to this state.

What version did you use previously, did you have issues with ssh running that version?

what happens if you upgrade form other version of RouterOS.

7

Unfortunately, this is now in production :slight_smile: working fine apart from this… We’re looking to get another couple (or 4) for redundancy, but wanted to make sure they worked OK before splashing out…

It previously had 5.9 on it (I think) which is how it (a brand new RB1100AHx2) came from your factory (presumably, unless your reseller did anything to it, which I doubt), and was fairly immediately upgraded to 5.11 so didn’t actually try SSH before.

The other one we bought at the same time is fine.

Don’t think I did anything with ssh settings before finding it didn’t work.

Thanks

Chris

8

Much more problem was found in ROS 5.11 version.

I suggest you downgrade to 5.8.

9

would not recommend to downgrade below version it came from factory. Will try 5.9 and see if i loose any ssh keys as i am using ssh key logins extensively over my testing routers.

10

OK, thanks - as I said before, only one of the two routers (purchased at the same time) is exhibiting this problem, so its not necessarily straightforward to reproduce

Thanks

Chris

11

Seems very similar to issue here:

http://forum.mikrotik.com/t/x86-5-5-and-5-7-ssh-key-problem/50350/1

Is there any way of regenerating ssh host keys?

Thanks

Chris

12

re-installation of the router using netinstall or cd-install (if x86) tool to force router to recreate the keys.

13

OK, thanks, will try to do this over the weekend - our live router :frowning: Must buy another one :slight_smile:

14

try to use 5.12 to be sure you do not encounter such problems again.

reinstalling production router is always painful, just update to 5.12 get compact export (so if something goes wrong - fast reset, load config and you are back on-line.

Also, before you start, connect to ether13 with your laptop (pc) ready with netinstall, reboot, install and reboot. check if you have selected to keep old configuration, so if you reinstall 5.12 to clean 5.12 should not encounter any issues.

15

try to use 5.12 to be sure you do not encounter such problems again.

reinstalling production router is always painful, just update to 5.12 get compact export (so if something goes wrong - fast reset, load config and you are back on-line.

Also, before you start, connect to ether13 with your laptop (pc) ready with netinstall, reboot, install and reboot. check if you have selected to keep old configuration, so if you reinstall 5.12 to clean 5.12 should not encounter any issues.

16

Unfortunately, the router is at a remote site, so I’ll be doing a completely remote install (using a differently connected network connection), remote desktop to a windows machine and serial port connected to a linux machine. Might this cause problems with a netinstall? Is there something special about ether13?

But, yes, will go straight to 5.12

Thanks

Chris

17

ether13 on the board is the ether boot port.

18

So ether13 has to be used to do netinstall?

19

yes, ether13 has to be used. Other way router will not be able to boot from network.

20

:frowning: OK might need a site visit. Actually, need another router, so we have a pair, so downtime isn’t such an issue :slight_smile: Must talk to management.

However, I did look through all the documentation I could find and nothing I saw said that you had to be in ether13 for network boot… (that I could see, might have missed something) Might want to update the documentation to reflect that :slight_smile:

Thanks

Chris