To start with.. Im not a newb to using ssh keys…

I created a DSA key, uploaded the public key to the router, imported it and assigned it to a user. I add the key to my agent in my linux shell and try to ssh user@host and it still asks for a password.

I removed the key from my agent and did ssh user@host -i keyfilename and it prompted for the key passphrase. I enter it and it still asks for my password to connect to the router.

I put the key on one of my other linux servers and it worked for authentication over there just fine.

Am I missing something?

You should not have to add a key to your linux shell or specify -i keyfile name on your ssh client.

Here’s how I do it.

jp@travelmug:~/.ssh> ls -la
total 124
drwx------  2 jp users  4096 2010-03-03 11:55 .
drwxr-xr-x 59 jp users 12288 2010-03-02 18:02 ..
rw-------  1 jp users   668 2008-03-04 21:01 id_dsa
rw-r--r--  1 jp users   602 2008-03-04 21:01 id_dsa.pub

jp@travelmug:~/.ssh> scp id_dsa.pub admin@10.0.1.5:
The authenticity of host '10.0.1.5 (10.0.1.5)' can't be established.
DSA key fingerprint is cc:98:a2:04:f3:b4:32:13:20:92:53:6e:b2:8a:86:0f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.5' (DSA) to the list of known hosts.
admin@10.0.1.5's password: 
id_dsa.pub                                                     100%  602     0.6KB/s   00:00    
jp@travelmug:~/.ssh> ssh admin@10.0.1.5 user ssh import file=id_dsa.pub user=admin
admin@10.0.1.5's password: 
jp@travelmug:~/.ssh> ssh admin@10.0.1.5



  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 3.31 (c) 1999-2009       http://www.mikrotik.com/

I add it to my agent. I have more than one key. By adding it to my agent, I dont have to type the passphrase for they key. I dont use keys with no passphrase unless it is limited to certain hosts.

The first key is the key forwarded from the agent on my desktop computer. The second key is the one I use on the routers.

[denike@garthok ~]$ ssh-add -l
1024 f2:26:6a:8e:6d:8a:b3:c2:53:eb:2e:64:37:2f:d5:db denike@XXXX (RSA)
[denike@garthok ~]$ ssh-add .ssh/id_dsa.routers
Enter passphrase for .ssh/id_dsa.routers:
Identity added: .ssh/id_dsa.routers (.ssh/id_dsa.routers)
[denike@garthok ~]$ ssh-add -l
1024 2b:98:73:12:f8:80:44:44:32:8a:90:7b:ca:2d:46:21 .ssh/id_dsa.routers (DSA)
1024 f2:26:6a:8e:6d:8a:b3:c2:53:eb:2e:64:37:2f:d5:db denike@XXXX (RSA)
[denike@garthok ~]$ ssh psg@10.16.128.59
psg@10.16.128.59's password:

On the router
/user
add address=192.168.100.0/24 comment="system default user" disabled=no group=
full name=admin
add address=172.16.102.3/32 comment="" disabled=no group=read name=dude
add address=0.0.0.0/0 comment="" disabled=no group=psg name=psg
/user ssh-keys
print

USER KEY-OWNER

0 psg denike@XXXX


The key does work.

Just recreated the key pairs, re-imported and tried it from putty and from a linux console and neither worked…

ROS 4.5mipsbe

Ahhh… I figured it out. Weird.

The password for the user was something I just generated using uuidgen, so it was something like:

4c45aed5-5527-4d00-bc89-ed3dc8460351

I guess ROS doesnt like it.

I changed it to 1234 and the key started working.

So no super long passwords. Didnt know that was a limitation.

what cmdline did you user to generate your keypair? Is it using rsa or dsa?

DSA. It was just the extra long password for the user in ROS. I put a long random password in there because for this user, i would never use a password, only ssh keys.

Its working now with a shorter password.