ssh from routeros to linux server

ofirule · May 28, 2019, 11:46am

I am trying to ssh from routeros ver 6.44.3 to an ubuntu 16.04 linux server with no success

the following command works from any linux machine:
ssh -i my_private_key.pem ubuntu@myhost

I tried many variations on my routeros machine without success.

I guessed the following would work:
/user group add name=remote policy=ssh,read,write
/user add name=ubuntu group=remote password=Sup3rStr0ngPassw0rd
/user ssh-keys private import user=ubuntu private-key-file=my_private_key.pem public-key-file=my_public_key.pem passphrase=“”
/system ssh address=myhost user=ubuntu src-address=mysrc

but I get back to the routeros terminal with the message “Welcome back!”, instead of getting to my remote host

sindy · May 28, 2019, 8:52pm

You can always add a logging item for ssh - /system logging add topics=ssh to see what went actually wrong.

ofirule · May 29, 2019, 12:43pm

I think I found a bug:
Basically I think the user flag in the /system ssh command is not working
and it also doesn’t auto complete with available options

consider having the following user:

/user group add name=remote policy=ssh,read,write
/user add name=ubuntu group=remote password=Sup3rStr0ngPassw0rd
/user ssh-keys private import user=ubuntu private-key-file=my_private_key.pem public-key-file=my_public_key.pem passphrase=""
/system ssh address=myhost user=ubuntu src-address=mysrc

scenario 1 :

ssh admin@192.168.88.1
[admin@MikroTik] > system ssh myhost user=ubuntu                      

Welcome back!

ssh from routeros not working

scenario 2:

ssh ubuntu@192.168.88.1
[ubuntu@MikroTik] > system ssh myhost
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-1083-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

135 packages can be updated.
0 updates are security updates.

New release '18.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: *****
ubuntu@ip-*****:~$

ssh from routeros working

McSee · May 29, 2019, 1:56pm

user parameter is used to specify remote user name, not the local one. Hence no autocomplete - no way for your mikrotik to obtain user list from remote system.

anav · May 29, 2019, 2:07pm

Are you saying we need to reprogram/code the user?

sindy · May 29, 2019, 2:31pm

The whole concept of using keys to authenticate ssh users to remote systems is that each local (in this case, Mikrotik) user has his “personal” key which he uses to authenticate himself as he connects to any remote system. To use the user parameter of /system ssh would break the idea that each user can only use its own “identity” (represented by the key) to authenticate himself to the remote system.

So the correct approach is to create own key for each Mikrotik user which will be connecting to some user account on the remote server, and deliver the public keys of all the users to the remote server for access to those of its user accounts which should accept it.

The only purpose of the user parameter of /system ssh is to set the remote user name; by omitting it you tell the system to use the local user name for this purpose.

wise0tamas · May 29, 2019, 2:55pm

You guessed it right
If you are logged in to RouterOS with local user “ubuntu”, then you have access to the private ssh key, with which you can then login to any (linux, RouterOS, other) host if that ssh key is authorized to log in.
If you are logged in to RouterOS with another user (like admin), then you are not using the private key, which is only available to the RouterOS user you previously imported it to.