SSH client is not working

RouterOS General
1

SSH client is not working since the 6.8. or 6.9 version. When can we expect fix of this bug?

[admin@xxxxx] > system ssh address=192.168.5.3 user=root

Welcome back!
2

What’s not working?
On 6.11:

 > system ssh address=10.10.10.10 user=blabla
password:
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-60-generic x86_64)
3

as onnoossendrijver kindly pointed out that problem with ssh client are resolved in newer release.

4

How do you explain this?

v6.11

v6.2

5

Definitely something is still not ok with the SSH Client. I can enstablish one connection to a CentOS device and thats it, no more. I have the same issue with several other devices like user ropeba.

6

As i can see the ssh client problem still exists in the 6.12 version. I hope you will fix that very soon.

7

Same here. I urgently need solution for this problem! We use ssh for IPTV service (STB administration). More than 2-3 months we don’t have control over users STBs.

8

enable debug logging for ssh and attempt a connection saving full conversation (preferably on both ends) and send to support@mikrotik.com Other way this thread is quite useless as there is no information of what RouterOS exactly is used, what ssh server it attempted to connect to etc.

9

I have the same issue - connection to some SSH servers is working, to same not. [Ticket#2014051266000668] has been created.

10

My issue with SSH client was solved in ROS 6.13rc23 via [Ticket#2014051266000668]. In case that there will be still an issue with MK SSH client, send output from “debug ssh” on MK side and from SSH server side to support@mikrotik.com, if requested.

11

just facing the issue with v6.28

12

Hello! I have a new version of Router OS 6.45.1 and I have such problem too.
############################################
user ssh-keys private print
Flags: R - RSA, D - DSA

USER BITS KEY-OWNER

0 R root 2048 root@185.20.24.56

ip ssh print
forwarding-enabled: both
always-allow-password-login: no
strong-crypto: no
allow-none-crypto: no
host-key-size: 2048

system ssh user=root address=185.20.24.56
Welcome back! --------> don't work!
##############################################
But it's work on other PC:
ssh root@185.20.24.56
All right!)))

Log from 185.20.24.56:
sshd[8968]: error: Received disconnect from 33.23.45.33 port 5152:14: [preauth]
sshd[8968]: Disconnected from 33.23.45.33 port 5152 [preauth]


And if I use ssh-client and password auth,
system ssh user=root address=185.20.24.56
All right too ((((

13

It’s MikroTik’s log (ssh debug):
22:34:28 ssh,debug ssh: auth methods: publickey
22:34:28 ssh,debug ssh: unknown auth method: publickey
22:34:28 ssh,debug ssh: code 0x0300000e closing..

14

I encounter the same problem with RB951 6.47
but no problem with ssh client from Basebox2 6.47 (I can see login prompt)
Both mikrotik connect to the same server
?

  1. how to reinstall ssh client in RB951 6.47
    tq

UPDATE1:
doing this will fix the problem
/ip ssh set strong-crypto=no

15

I also encountered with same problem on RB951 6.47. Searching for solution -_-

16

This is not a fix, this is a workaround - the server only supports ciphers which are currently considered weak.

17

What you said is true.

  1. either change target ssh server to use stronger cipher or
  2. set ssh client to use weaker cipher

Unfortunately, I have to use OPTION1 because target ssh server is CambumNetworks ePMP1000 Hotspot with latest 2019 firmware but EOL already
If I found on how to set it with stronger cipher. I’ll update here

ePMP1000-CC0989(config)# show config
!
management user admin password $crypt$1$R23rqOwQ84Z0PrDyhaBTH6MR5E5TtS1k
no management http
no management telnet
management ssh
management cambium-remote
management cambium-remote url https://cloud.cambiumnetworks.com
management cambium-remote validate-server-cert
management https
led
no poe-out
country-code CN
placement outdoor
!
wireless radio 1
no shutdown
channel auto
channel-width 20
channel-list all-channels
data-rate unicast 1b 2b 5.5b 11b 12 18 24 36 48 54
data-rate non-unicast highest-basic
power 25
airtime-fairness
auto-channel-select on-startup
antenna-gain 5
beacon-interval 100
no dynamic-channel-selection
enhanced-roaming
auto-rf chan-hold-time 120
!
wireless wlan 1
ssid id
no shutdown
vlan 1
security wpa2-psk
passphrase $crypt$1$1ihCmIf8rfqsV62rdhJy5QjIqMFuSlVu
dtim-interval 1
max-associated-client 127
client-isolation
drop-multicast-traffic
mac-authentication policy deny
no guest-access
!
interface eth 1
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan 1-20
!
interface eth 2
switchport mode access
switchport access vlan 1
!
interface vlan 1
management-access all
ip address zeroconf
ip address 192.168.88.222 255.255.255.0
!
ntp server pool.ntp.org
ip route default 192.168.88.1
ip name-server 1.1.1.1
ip name-server 9.9.9.9
timezone Asia/Jakarta
hostname ePMP1000-CC0989
firewall dos-protection ip-spoof
firewall dos-protection ip-spoof-log
firewall dos-protection smurf-attack
firewall dos-protection icmp-frag
no wifiperf

18

The unfortunate point is that the /ip ssh strong-crypto setting is common for both server and client, so once you permit weak algorithms to be able to connect to an old server, it is also possible to connect using weak ciphers to your Tik until you switch it back. Some time ago I’ve asked Mikrotik support for a parameter of the client so that you could disable strong crypto for a single login and they’ve promised to consider that, but so far nothing has happened.

19

I have the same issue with ROS 6.47.1 on RB951G-2HnD:
system ssh xxx.xxx.xxx.xx user=xxxxxxxxxxxxxx port=xxxxxxxxxxxxxx

Aug/11/2020 13:00:26 ssh,debug transport state: 0 → 1
Aug/11/2020 13:00:26 ssh,debug transport state: 1 → 2
Aug/11/2020 13:00:26 ssh,debug,packet sending string
Aug/11/2020 13:00:26 ssh,debug,packet SSH-2.0-ROSSSH
Aug/11/2020 13:00:26 ssh,debug,packet
Aug/11/2020 13:00:26 ssh,debug client version: SSH-2.0-OpenSSH_7.4
Aug/11/2020 13:00:26 ssh,debug transport state: 2 → 3
Aug/11/2020 13:00:26 ssh,debug,packet packet create: 20
Aug/11/2020 13:00:26 ssh,debug,packet ----- sending -----
Aug/11/2020 13:00:26 ssh,debug,packet => offset:232 [0xe8]
Aug/11/2020 13:00:26 ssh,debug,packet => size:e8 [0xe8]
xxxxx
Aug/11/2020 13:00:26 ssh,debug,packet xxxxx
Aug/11/2020 13:00:26 ssh,debug,packet --------------------
Aug/11/2020 13:00:26 ssh,debug,packet ----- recieved -----
Aug/11/2020 13:00:26 ssh,debug,packet => offset:500 [0x500]
Aug/11/2020 13:00:26 ssh,debug,packet => size:100 [0x100]
xxxxx
Aug/11/2020 13:00:26 ssh,debug,packet --------------------
Aug/11/2020 13:00:26 ssh,debug host key algo: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
Aug/11/2020 13:00:26 ssh,debug kex algo: curve25519-sha256,> curve25519-sha256@libssh.org> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Aug/11/2020 13:00:26 ssh,debug enc algo CS: > chacha20-poly1305@openssh.com> ,aes128-ctr,aes192-ctr,aes256-ctr,> aes128-gcm@openssh.com> ,> aes256-gcm@openssh.com> ,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
Aug/11/2020 13:00:26 ssh,debug mac algo CS: > umac-64-etm@openssh.com> ,> umac-128-etm@openssh.com> ,> hmac-sha2-256-etm@openssh.com> ,> hmac-sha2-512-etm@openssh.com> ,> hmac-sha1-etm@openssh.com> ,> umac-64@openssh.com> ,> umac-128@openssh.com> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Aug/11/2020 13:00:26 ssh,debug comp algo CS: none,> zlib@openssh.com
Aug/11/2020 13:00:26 ssh,debug packet follows: 0
Aug/11/2020 13:00:26 ssh,debug agreed on: diffie-hellman-group-exchange-sha256 ssh-rsa aes128-ctr aes128-ctr hmac-sha2-256 hmac-sha2-256 none none
Aug/11/2020 13:00:26 ssh,debug,packet packet create: 34
Aug/11/2020 13:00:26 ssh,debug,packet ----- sending -----
Aug/11/2020 13:00:26 ssh,debug,packet => offset:24 [0x18]
Aug/11/2020 13:00:26 ssh,debug,packet => size:18 [0x18]
xxxxx
Aug/11/2020 13:00:26 ssh,debug,packet --------------------
Aug/11/2020 13:00:26 ssh,debug,packet ----- recieved -----
Aug/11/2020 13:00:26 ssh,debug,packet => offset:118 [0x118]
Aug/11/2020 13:00:26 ssh,debug,packet => size:100 [0x100]
xxxxx
Aug/11/2020 13:00:26 ssh,debug,packet --------------------
Aug/11/2020 13:00:26 ssh,debug,packet packet create: 32
Aug/11/2020 13:00:26 ssh,debug,packet ----- sending -----
Aug/11/2020 13:00:26 ssh,debug,packet => offset:272 [0x110]
Aug/11/2020 13:00:26 ssh,debug,packet => size:100 [0x100]
xxxxx
Aug/11/2020 13:00:26 ssh,debug,packet --------------------
Aug/11/2020 13:00:26 ssh,debug,packet ----- recieved -----
Aug/11/2020 13:00:26 ssh,debug,packet => offset:340 [0x340]
Aug/11/2020 13:00:26 ssh,debug,packet => size:100 [0x100]
Aug/11/2020 13:00:26 ssh,debug,packet
xxxxx
Aug/11/2020 13:00:26 ssh,debug,packet --------------------
Aug/11/2020 13:00:27 ssh,debug pki algorithm: ssh-rsa
Aug/11/2020 13:00:27 ssh,debug,packet packet create: 21
Aug/11/2020 13:00:27 ssh,debug,packet ----- sending -----
Aug/11/2020 13:00:27 ssh,debug,packet => offset:16 [0x10]
Aug/11/2020 13:00:27 ssh,debug,packet => size:10 [0x10]
Aug/11/2020 13:00:27 ssh,debug,packet
Aug/11/2020 13:00:27 ssh,debug,packet --------------------
Aug/11/2020 13:00:27 ssh,debug,packet ----- recieved -----
Aug/11/2020 13:00:27 ssh,debug,packet => offset:10 [0x10]
Aug/11/2020 13:00:27 ssh,debug,packet => size:10 [0x10]
Aug/11/2020 13:00:27 ssh,debug,packet
Aug/11/2020 13:00:27 ssh,debug,packet --------------------
Aug/11/2020 13:00:27 ssh,debug transport state: 3 → 4
Aug/11/2020 13:00:27 ssh,debug,packet packet create: 5
Aug/11/2020 13:00:27 ssh,debug,packet ----- sending -----
Aug/11/2020 13:00:27 ssh,debug,packet => offset:64 [0x40]
Aug/11/2020 13:00:27 ssh,debug,packet => size:40 [0x40]
Aug/11/2020 13:00:27 ssh,debug,packet
Aug/11/2020 13:00:27 ssh,debug,packet
Aug/11/2020 13:00:27 ssh,debug,packet
Aug/11/2020 13:00:27 ssh,debug,packet
Aug/11/2020 13:00:27 ssh,debug,packet --------------------
Aug/11/2020 13:00:27 ssh,debug,packet ----- recieved -----
Aug/11/2020 13:00:27 ssh,debug,packet => offset:40 [0x40]
Aug/11/2020 13:00:27 ssh,debug,packet => size:40 [0x40]
Aug/11/2020 13:00:27 ssh,debug,packet
Aug/11/2020 13:00:27 ssh,debug,packet
Aug/11/2020 13:00:27 ssh,debug,packet
Aug/11/2020 13:00:27 ssh,debug,packet --------------------
Aug/11/2020 13:00:27 ssh,debug requesting auth methods
Aug/11/2020 13:00:27 ssh,debug,packet packet create: 50
Aug/11/2020 13:00:27 ssh,debug,packet ----- sending -----
Aug/11/2020 13:00:27 ssh,debug,packet => offset:96 [0x60]
Aug/11/2020 13:00:27 ssh,debug,packet => size:60 [0x60]
xxxxx
Aug/11/2020 13:00:27 ssh,debug,packet --------------------
Aug/11/2020 13:00:27 ssh,debug,packet ----- recieved -----
Aug/11/2020 13:00:27 ssh,debug,packet => offset:40 [0x40]
Aug/11/2020 13:00:27 ssh,debug,packet => size:40 [0x40]
xxxxx
Aug/11/2020 13:00:27 ssh,debug,packet --------------------
Aug/11/2020 13:00:27 ssh,debug auth methods: publickey
Aug/11/2020 13:00:27 ssh,debug unknown auth method: publickey
Aug/11/2020 13:00:27 ssh,debug code 0x0300000e closing..
Aug/11/2020 13:00:27 ssh,debug,packet packet create: 1
Aug/11/2020 13:00:27 ssh,debug,packet ----- sending -----
Aug/11/2020 13:00:27 ssh,debug,packet => offset:64 [0x40]
Aug/11/2020 13:00:27 ssh,debug,packet => size:40 [0x40]
xxxxx
Aug/11/2020 13:00:27 ssh,debug,packet --------------------
Aug/11/2020 13:00:27 ssh,debug transport state: 4 → 0