SSH "Permission denied" for all users despite correct password – firewall disabled, keys removed

admin52 · June 3, 2026, 7:14pm

I have a MikroTik RouterOS 7.20.6 (CCR1016-12S-1S+) where SSH access suddenly stopped working. I am using Winbox (MAC‑telnet) to access the router, but I need SSH for automation (e.g., Ansible, scripts).

Symptoms:

· SSH from any client (Windows, Linux, macOS) returns Permission denied, please try again.
· The password is absolutely correct (I reset it multiple times).
· It happens for all users with full rights (including newly created test users).
· Even after completely disabling the firewall (/ip firewall filter disable [find]) the problem persists.
· Key‑based authentication also fails (keys imported, but still denied).
· I have tried:
· ip ssh set always-allow-password-login=yes
· user set admin password=...
· user set admin group=full
· user group set full policy=... (added ssh policy)
· Removing all SSH keys (user ssh-keys remove [find])
· Checking SSH service port and address restrictions – they are default (address="")
· Creating a brand new user (user add name=test group=full password=test123) – same issue
· Rebooting the router multiple times

What works:

· Winbox (MAC and IP) works fine.
· Telnet (temporarily enabled) works with the same credentials.
· REST API (with www-ssl) works.
· The router is reachable and responds to ping.

What does NOT work:

· SSH on port 22 (default) – always Permission denied.

Logs:

· /log print where topics~"ssh" shows nothing helpful – no failed login entries, just occasional "SSH login attempt" without errors.
· No firewall drop logs for port 22.

Attached outputs:

[admin@MikroTik] > /ip ssh print
                      ciphers: auto
           forwarding-enabled: no  
  always-allow-password-login: yes 
                strong-crypto: no  
                host-key-size: 2048
                host-key-type: rsa 

[admin@MikroTik] > /ip service print where name=ssh
 0 ssh     22  tcp    main            20 

[admin@MikroTik] > /user print where name=admin
 0 admin  full   none

[admin@MikroTik] > /user ssh-keys print
(no keys present)

[admin@MikroTik] > /user group print
 0 full  local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,tikapp

What else should I check? Could it be a corrupted SSH host key? Or a hidden “login-by” property not visible in /user print? I'm considering resetting the router, but I would prefer to avoid that.

Any help is greatly appreciated.

tangent · June 3, 2026, 7:27pm

From the client, ssh -v ADDRESS

Add -v flags until the diagnosis becomes clear.

lurker888 · June 3, 2026, 10:28pm

If this is true, this may in fact be your problem. On RouterOS, not having a parameter set is very different from it being set as empty. In this case, "address not set" means "no restriction", while empty ("") means allow only from the empty list, i.e. allow from nowhere.

There is a command verb "unset" for this, if you wish to do it from the cli.

EDIT: As it turns out, the not set address is actually exported as ""... Yay for consistency.

admin52 · June 4, 2026, 3:30am

Somehow I can login from my phone using a mobile app called Termius, while on my workstation powershell is giving the same issue, asks for a password even if the password is correct. I tried winscp, same issue. I’m puzzled

rplant · June 4, 2026, 8:37am

Perhaps some characters in the password get messed up from windows ssh clients.

admin52 · June 4, 2026, 8:53am

I honestly don’t know, the password has not been changed and I tried the most simple ones as test.

rplant · June 5, 2026, 12:46am

Some other guesses:

Allowed addresses for ssh in /ip services?
Port forward of port 22 to some other machine either on router or in path between you and the router.
Trying to connect to wrong machine (invalid dns?)

EmanK · June 5, 2026, 8:16am

Which characters are you using in your password ?

I know some characters are invalid in RouterOS, and there is no warning,

For instance "$" is invalid. I guess an escape character must be specified, but if you don't, password will be accepted from RouterOS, but you will not be able to connect with this password,

It happened for me with user authentification, but also for SNMPv3 for example.

I noticed this with WinBox. In CLI, if I remember, your password will be in "red", indicating there is an error,

Hope it helps,

Lokamaya · June 5, 2026, 9:52am

Try CLI command:

/ip ssh reset
/ip ssh regenerate-host-key

Clients will be asked to accept new host key after this. Just "accept" and continue.