SSH login with certs only

petrb · July 18, 2018, 7:23am

Hi, Is it possible to disable ssh password login to MikroTik routeros?

SSH Example:

user “admin” with password
the public part of my private key computer was successfully added (“/ip ssh import-host-key private-key-file”)
login to mk with cert is fully working

Question:

How to disable SSH logins without certs. (how to disable users password logins)

Thanks
Petr

baragoon · July 18, 2018, 7:31am

https://wiki.mikrotik.com/wiki/Manual:IP/SSH

petrb · July 18, 2018, 9:57am

I allready read wiki. There is no option that can disable password login. Please read my post carefully. Thanks

normis · July 18, 2018, 10:42am

What is your “always-allow-password-login” set to? That is in the manual, linked above.

baragoon · July 18, 2018, 11:11am

really?

petrb · July 18, 2018, 11:31am

Sorry, my mistake - ALL WORKS. I expect different behavior.

[admin@HlavniRouter] > /ip ssh print
always-allow-password-login: no

SSH from Kubuntu to ROS:

login with certs all works
login without cers => PASSWORD is prompted, but NOT ACCEPTED (this made me mistaken)
SSH from Kubuntu to another OpenSSH
login with certs ok, password login disabled …
login without certs generate => “Permission denied (publickey).” message is displayed

Thanks for all answers and many thanks to all. Please close this thread.

sindy · July 18, 2018, 11:37am

Sorry for interfering, but the name and explanation of that item in the manual is so unclear that myself I wouldn’t dare to refer to it without an additional explanation.

What are the conditions which must be met so that the password authentication would be disabled? Once you import a key for a given user, it means that that very user cannot log in using a password authentication any more if the always-allow-password-login is set to no? Or as soon as you import a key for a single user, password authentication is disabled for everbody? Or it works like in linux sshd and it only affects root (i.e. admin here)? I mean, there is so much space for speculation that I would be afraid to try, assuming I might ban myself from access to the router via ssh.

petrb · July 18, 2018, 11:47am

Yes, I agree, wiki page can be more specific:

“/ip ssh set always-allow-password-login=”
NO => when “user” have added public key, then you cannot log in with the password for a specific user, only cert (password prompt is still showing, but not accept password)
YES => you can connect to user account with password or certificate

Jotne · July 18, 2018, 12:58pm

Nice to now. It has annoyed me that I need to login with a cert.
Looked everywhere in the GUI, but could not find anything.
Then the always-allow-password-login solved it.
Strange that /Ip SSH is missing for webgui/winbox

Sob · July 18, 2018, 1:15pm

It was discussed in the past:

Passwordless ssh login

It’s sort of a cosmetic bug, password prompt is always there, even for users with keys, where it can’t succeed.