I have noticed a number of posts regarding SSH keys failing etc etc.. After a routine patch of my Linux machine, I was sent into a frenzy banging my head, many ssh -vvvv and copious searches unitl I eventually figured out why my SSH keys were no longer working. (This was a year or three ago but ran into it again when I deployed a new Mikrotik at home)
You need to explicitly re-enable the depreciated SHA1 RSA cipher “ssh_rsa” for RouterOS connections either in the global /etc/ssh/ssh_config (not sshd_config) or a user specific ~/.ssh/config files. Add the following line to your connection stanza: (See my edit below)
PubkeyAcceptedKeyTypes +ssh-rsa
Example extract from my ~/.ssh/config:
Host mikrotik1 mikrotik2 10.20.30.40
User admin
Port 22
Compression yes
TCPKeepAlive yes
NumberOfPasswordPrompts 1
ServerAliveInterval 60
StrictHostKeyChecking no
#Re-enable RSA SHA1 otherwise connection will fail (SHA1 depreciated)
PubkeyAcceptedKeyTypes +ssh-rsa
IdentityFile ~/.ssh/id_rsa
EDIT: After writing this, I realised my Linux box was using old RSA keys that were generated a few years ago using old ciphers and causing this error. Generating new RSA keys appears to have fixed this issue for me.
NOTE: OpenSSH etc have also sunset RSA & DSA keys and recommended to move over to ECDSA keys but none of my routers (RouterOS v6.49.10) appear to support ECDSA giving the following error:
Couldn’t perform action - unable to load key file (wrong format?) ! (6)
Disabling the password after key restriction
If you want to disable the default of rejecting password SSH login’s after loading SSH Keys, set the following to allow both Key & Interactive (password) login:
/ip ssh set always-allow-password-login=yes
I prefer setting this just in case my keys go wonky and I need to access my routers via SSH to fix.
I hope this little tid bit saves a few bruised foreheads!