ssh from ROS to OpenWRT

reverged · March 8, 2012, 5:45am

I’m trying to set up ssh keys in order to ssh from RB to an OpenWRT box without needing a password.
This wiki article was consulted:
http://wiki.mikrotik.com/wiki/Manual:System/SSH_client#Log-in_using_certificate

I have created the key pairs on a Linux box and copied the public key to the OpenWRT machine and I can successfully ssh from Linux to OpenWRT with no password required. I’ve done this before for other Linux boxes. No mysteries.

user@ubuntu:~$ ssh root@10.10.1.5 "date"
Thu Mar  8 05:41:46 UTC 2012

Now move on to ROS. I copied the private and public key files to the ROS v5.6 RB450G and ran:

/user ssh-keys private import public-key-file=ssh/id_dsa.pub private-key-file=ssh/id_dsa user=ap_admin

No errors, etc.

Now when I try to ssh:

[ap_admin@test_t] > /system ssh 10.10.1.5 user=root
getting empty DSA key
died with signal 11 on Thu Mar  8 05:30:58 2012

Anyone know what I am doing wrong or had success with this? If I remove the private key from the RB, I get the password prompt when I rerun the ssh command, so apparently it is seeing the key and trying to use it, but failing.

Again, this works fine from Linux box => OpenWRT but fails RB => OpenWRT. I’ve also had success from Linux Box => RB.

reverged · March 8, 2012, 5:42pm

bump. I would really like to get this to work…

Tolaris · March 20, 2012, 11:04am

I have the same problem logging in to a remote SSH server running Ubuntu 10.04 (SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7).

[root@ROUTER04] > /user ssh-keys private print

USER KEY-OWNER

0 root root@router04

[root@ROUTER04] > /system ssh server.example.com user=test
getting empty DSA key
died with signal 11 on Tue Mar 20 11:03:02 2012

Welcome back!
[root@ROUTER04] >

The "root@router04" DSA SSH key is installed correctly on the "test" user on server.example.com. I can SSH to it from my desktop using the same key.

I have this problem on Router0S 5.4 and 5.8.

Tolaris · March 20, 2012, 2:31pm

I have discovered why this does not work. RouterOS cannot support both “ssh user=blah” and SSH key authentication at the same time.

With SSH key authentication, this works:

/system ssh server.example.com command=“hostname”

But this does not:

/system ssh server.example.com command=“hostname” user=“somebody”

This, of course, sucks. How do we submit bug reports to Mikrotik?

Disassembler · April 3, 2012, 1:58pm

Same here.
SSHing to MT works fine. From MT to any other Linux box fails with

[admin@MikroTik] > /system ssh address=example.com user=root command="ls -la"
getting empty DSA key
died with signal 11 on Tue Apr  3 13:32:18 2012


Welcome back!

Using ROS 5.14, tested from various RBs

janisk · April 5, 2012, 11:20am

not sure what could cause problems you are encountering as i just tried on test routers and everything workder as expected, that is

/user ssh-keys private> import user=admin private-key-file=id_dsa public-key-file=id_dsa.pub

added entry that if i logged in with user admin i could successfully log in further in SSH capable hosts without any problems if public key was set on the target host for user that was set like this:

/sys ssh 192.168.88.1 user=test

could you create debug logs of the router when you issue ssh to other host (preferable, connect to host using other method but ssh) and see if you have any logs on the target end.

Tolaris · April 5, 2012, 11:23am

Please read my post above. When using SSH keys, you can use user=blah, and command=blah, but not both at the same time.

janisk · April 5, 2012, 12:24pm

ok, it is clear now.

Tolaris · April 5, 2012, 1:14pm

Thank you very much. I would appreciate it very much if you would inform me or the rest of us on this ticket when the issue is resolved.