ssh key auth issues between two rOS devices

cdiedrich · November 5, 2020, 12:49pm

Morning all,

My goal is to make two routers talk to each other in a script with ssh-exec.
I created a user and keys according to this Wiki article.
But when trying to fire a command from a remote router (with the exact same user and key config), I always receive an authentication error while the debug log of the router that is supposed to be accessed logs 6 login retries.
From the other router I send

/sys ssh-exec user=remote address=10.80.1.6 command="log info test"

The first attemt is being logged with

auth req: remote ssh-connection none
next auth methods: publickey password

The next five are logged as password auth.

ssh settings of the router trying to log into:

/ip ssh pr
           forwarding-enabled: remote
  always-allow-password-login: no
                strong-crypto: no
            allow-none-crypto: yes
                host-key-size: 2048

And of the router trying to connect from:

 /ip ssh pr
           forwarding-enabled: remote
  always-allow-password-login: no
                strong-crypto: no
            allow-none-crypto: yes
                host-key-size: 2048

Connecting from a cygwin terminal to the router in question works without issue with this command:

ssh -i ./remote-key remote@10.80.1.6

Any ideas?
Thanks!
-Chris

eworm · November 5, 2020, 1:52pm

Please show your available keys on both sides:

/user ssh-keys print
/user ssh-keys private print

cdiedrich · November 5, 2020, 1:55pm

Dang - and this happens to me

Exact same output on both devices:

/user ssh-keys prin
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                                     
 0 R remote                     2048 user@computer          
 
 /user ssh-keys priva prin
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                                     
 0 R remote                     2048 user@computer

eworm · November 5, 2020, 3:02pm

The local device running

/sys ssh-exec ...

what user is running this?

cdiedrich · November 5, 2020, 3:05pm

a standard company-wide admin account

eworm · November 5, 2020, 3:28pm

So it’s not the user “remote” here?
Import your private key for the standard company-wide admin account, not “remote”.

cdiedrich · November 5, 2020, 3:48pm

Now this make so much sense…
Thanks for opening my eyes.
Now these commands are to be used in scripts run by the scheduler - will that be run with the account of the script owner?

Thanks!
-Chris

eworm · November 5, 2020, 4:17pm

Yes.