im trying to run ssh-exec on PPP UP/DOWN
When I run ssh-sec from the terminal or as system script everything is OK - key is used
but when i put code or system script on PPP → Profile → Scripts
it is not using ssh key for some reason
Your message is lacking almost all essential information… not even a RouterOS version number.
Latest 7.20.6 (stable)
Still lacking most information.
When running a script from cli, it is executed as current user. You did not tell when/where/how your script is invoked concretely. It is probably executed with restricted service/system user. And therefore can't use your private key from your personal user.
hi
1-i tried code as ssh-exec or system script (with ssh-exec) on PPP → Profile → Scripts
There are UP script and Down Script
which are executed when a new PPP client connects
2- i was thinking the same - UP / Down Script propably is using some system user to execute script
anf therefore no ssh key is used
but question is how to add SSH key to this system user so he can use ssh to access the remote server on ppp
client connect/disconnect
When executing script from GUI or CLI, user permissions are used. To run a script with script permissions, a script must be executed from CLI with additional "use-script-permissions" parameter.
You typed something and then pressed [ENTER].
This something is evidently "wrong" (or incomplete) because it doesn't do what you expect it to do.
If you post EXACTLY the something you entered, maybe someone can spot where the problem lies.
Many thanks adding use-script-permissions
solved my issue
The script that I run doesn’t inherit vars, please advise
i put in PPP → Profile → Scripts → UP Script
/log info ("OVPN-UP: user=" .$user ." ip=" .$"caller-id")
/system/script/run on-up-script use-script-permissions
and inside on-up-script i have
/log info ("OVPN-UP: user=" .$user ." ip=" .$"caller-id")
Output is
P.S.
The whole idea is to add/demove connected OpenVPN user IP to the trusted list on external server.
by running something like
/system/script/run add-ip use-script-permissions
which has code
/system ssh-exec address=linux.server user=root command="/sbin/iptables -A INPUT -p tcp -s $"caller-id" -j ACCEPT"
i also tried to use code directly in PPP → Profile → Scripts → UP Script
/system ssh-exec address=linux.server user=root command="/sbin/iptables -A INPUT -p tcp -s $"caller-id" -j ACCEPT"
but mikrotik doesnt use user SSH key for it
i tried :
IP -> SSH -> Export Host key -> convert it to openssh and upload to server
but code directly in PPP → Profile → Scripts → UP Script still is not using the SSH key for ssh-exec
You'll need to copy the value of $"caller-id" to a :global variable (name of your choice) before doing /system/script/run .... In the script, retrieve the data from the global variable and use it in your SSH command.
Have you tried to set script owner?
not a good idea.
What if 2 OpenVPN users connect simultaneously?
Obviously, there is no mechanism to handle thread safety & locking in RouterOS scripts. You may try something like this to ensure that all $"caller-id" are always sent through SSH. But this might cause duplicates (one IP address is sent multiple times) in case of contention:
In on-up script do this in a loop (with :do { } while={ }):
- Assign
$"caller-id"to a:globalvariable. - Call script with
/system/script/run .... - Loop condition is while
$"caller-id"is different from:globalvariable.
In short: if after the script is called and returned, the value of the :global variable is still the same as $"caller-id" then no one has changed the content of the :global variable, nothing needs to be done further. But if the values do not match, then the content of the variable was changed by a concurrent connection, we cannot be sure whether the SSH command has been executed before or after the change. To be sure, we loop and try sending again.
You might also add a counter to limit the number of retries and maybe add a random delay if $counter > 3 (or something similar).
There exists a not so widely known trick to monitor state changes and run actions in RouterOS. In this example I monitor the state of IPsec policies and when something changes (there are a number of template policies from which active policies are spawned) the function is called, and as this monitor is only running one time (it is started from an “at boot” scheduled script entry) there is no locking issue.
# this handler is called whenever state of the IPsec policies changes
# when policy becomes active, add a route (when it does not yet exist)
:global IpSecPolicyEventHandler do={
:if ($1) do={
/log info "ipsec-events tunnel active dst-address=$2"
:if ([:len [/ip/route find where routing-table=hamnet and dst-address=$2]] > 0) do={
/log info "route already exists"
} else={
/ip/route/add routing-table=hamnet dst-address=$2 gateway=44.137.60.1 comment="ipsec-tunnel"
}
}
}
# wait for the system to boot (script is started from scheduler)
:delay 10
/log info "ipsec-events script running"
# this is where the handler is called from a follow of the policy listing
# event handler called with active status (true/false) and tunnel destination
:execute {
:global IpSecPolicyEventHandler
/ip/ipsec/policy print follow where [$IpSecPolicyEventHandler $active $"dst-address"]
}
It relies on the “print follow” command with a “where” clause, which in RouterOS calls the items in the [ brackets ] every time the “follow” encounters a new item. Nice!
The main issue is the following:
When I run
/system ssh-exec address=linux.server user=root command="/sbin/iptables -A INPUT -p tcp -s ${caller-id} -j ACCEPT"
directly from PPP → Profile → Scripts → On-Up,
the SSH connection does not use any user SSH key.(I checked this from the Linux server side, and according to the SSH logs, MikroTik attempts password authentication first. Since no password is configured, the authentication fails.)
There is no way to identify which SSH key is used, nor to upload or select a key for /system ssh-exec.
(at least i cannot find a way)
However, when I run:
/system script run on-up-script use-script-permissions
the script does use my loaded MikroTik user SSH key,
but in this case the script does not inherit PPP variables such as caller-id.
As a result, I cannot forward caller-id to the script that uses my SSH key.
So I am stuck between two limitations:
-
ssh-exec has access to PPP variables but cannot use my SSH key
-
system script run can use my SSH key but cannot access PPP variables
Follow CGGXANNX suggestion and use other variables to cross check for other login possibilities.
I showed you above how you can work around that! In this case use /ppp/active/print follow …
Thanks for the advice:
but i canot see how I can use Global in my requirements
My requirement is to dynamically add or remove the OpenVPN caller-id IP address to a trusted list based on the connected user.
For example:
-
If the OpenVPN client “branch1” connects, I want to check whether its ${caller-id} IP is already present in the list of currently active connections.
-
If it is already present, do nothing.
-
If it is not present, add that IP address to server1.
-
-
If the OpenVPN client “branch2” connects, perform the same check, but add the ${caller-id} IP address to server2 instead.
When a client disconnects:
-
Check whether this connection was the last active session using the same IP address.
-
If it was not the last active session, do nothing.
-
If it was the last active session, remove the IP address from the corresponding server, based on the $user value.
-