RouterOS 6.30rc17

w0lt · June 11, 2015, 1:54pm

As with RouterOS 6.30rc13, the current beta release 6.30rc17 (SMIPS) does not have a wireless driver in the “All Architectures” zip package.

-tp

honzam · June 12, 2015, 6:23am

ARM - http://www.mikrotik.com/download/share/routeros-arm-6.30rc17.npk
is for rb3011?

normis · June 12, 2015, 6:48am

yes

eworm · June 12, 2015, 12:00pm

*) ssh - added option ‘/ip ssh stong-crypto’

I suppose this should read strong-crypto, no? What exactly does this change?

janisk · June 12, 2015, 12:19pm

it makes SSH connections more secure. SHA256 instead of SHA1 and MD5 is kicked out, longer DH, cipher-less connections are not allowed (one where you set cihpers=none) and stronger ciphers are preferred by the ssh server.

makes your SSH connection to the router slower due to better encryption. As most users do not require this (like managing routers from local area network) then old settings are deemed to have adequate security. Those that require higher security now can have it.

p.s. it is called ‘/ ip ssh strong-crypto’ there is a typo in the changelog.

eworm · June 12, 2015, 12:24pm

Ah, really nice! Thanks!

Looks like this still does not bring suppport for RSA (or even ed25519), though.

janisk · June 12, 2015, 12:43pm

RSA and for that matter ed25519 is not just a matter of flip-a-switch to enable them. We have to actually implement it. RSA currently is accepted as a feature request. Is not of a high priority.

eworm · July 1, 2015, 6:10am

Just a quick heads-up on this topic. OpenSSH 6.9 has been released. The announcement lists some features that will be run-time disabled by default with the release of OpenSSH 7.0 in July:

Support for ssh-dss, ssh-dss-cert-* host and user keys will be run-time disabled by default.

You will still be able to enable it, but the default configuration will fail with RouterOS devices.

rpr · July 10, 2015, 5:08pm

On v. 6.30 I’ve tried to run that command but it gives an error:

> /ip ssh strong-crypto
bad command name strong-crypto (line 1 column 9)

I have the following packages enabled: advanced-tools, routeros-mipsbe, routing, security, system.
What could be the problem?

– rpr.

grusu · July 10, 2015, 9:17pm

/ip ssh set strong-crypto

rpr · July 11, 2015, 9:54pm

I’m still getting an error:

> /system identity export
# jul/11/2015 23:49:35 by RouterOS 6.30
# software id = JLR6-SIQJ
#
/system identity
set name=gw.example.com

> /ip ssh set ?
Change properties of one or several items.

always-allow-password-login -- allow password login when public key authorization is configured
forwarding-enabled -- allows clients to connect to remote ports from server
strong-crypto -- use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones


> /ip ssh set strong-crypto
expected end of command (line 1 column 13)

eworm · July 20, 2015, 6:51am

Changes have been committed to git. Current development version can not connect to RouterOS devices:

% git describe
V_6_9_P1-32-gd56fd18
% ./ssh host
ssh_dispatch_run_fatal: Connection to XX.XX.XX.XX: no matching host key type found

eworm · July 30, 2015, 10:49am

Starting with RouterOS 6.31rc10 we have support for RSA keys! Thanks a lot Mikrotik!