SSH public key accepted but login fails, requires password despite password-authentication=no

RouterOS General
1

Hardware: MikroTik hAP ax³, RouterOS 7.22.3

Issue:
SSH public key authentication is accepted at the crypto level but login fails immediately after. Router then requests password as a second factor despite password-authentication=no being set.

Setup:

  • SSH from VPS (Rocky Linux) to router via WireGuard tunnel
  • Ed25519 keypair generated on VPS, public key imported via Winbox
  • Custom SSH port
  • strong-crypto=yes
  • publickey-authentication-options=none
  • password-authentication=no
  • Admin user in full group, not locked

Debug log:
ssh,debug checking: [Ed25519-PUBLIC]
ssh,info publickey accepted for user: admin, fingerprint: SHA256:xxx
ssh next auth methods: publickey,password
system,error,critical login failure for user admin from 10.0.0.1 via ssh
ssh,info auth timeout
ssh closing connection: auth timeout

Ruled out:

  • Firewall blocking connection
  • Wrong username or key
  • User locked or restricted
  • Cipher mismatch
  • Interface trust level

Question:
Why does RouterOS accept the public key but still require password, and how does a newbie like me fix this?

2

Your issue is a bit weird. I have similar setup to yours, but with a distinction: I have password-authentication=yes so that I can log-in both using key authentication and password authentication. However, when I'm logging in from account where I have correct private/public key available, I'm never prompted to enter the password.

One setting from /ip/ssh you did not mention: I have (default) setting ciphers=auto.

You may want to verify that imported SSH keys are correct by checking /user/ssh-keys/print and verify fingerprint against fingerprint produced on public SSH key you're trying to use (openssh CLI command would be ssh-keygen -lf <private key file>).

3

Thank you for your response. I have followed your advice and verified the key fingerprints match between VPS and router. Here is the current situation:

  • Fresh Ed25519 keypair generated on VPS

  • Public key imported to router via Winbox, fingerprints verified and confirmed matching

  • ciphers=auto, strong-crypto=yes, publickey-authentication-options=none

  • password-authentication=yes-if-no-key

Network context: The router has a dedicated management VLAN (vlan-mgmt) that has sole access to RouterOS. The input chain firewall rule uses an interface list which contains both vlan-mgmt and wg-vps, giving WireGuard the same trust level as the management VLAN.

Despite the key being accepted, the router still prompts for password. Password is also rejected even when correct.

  • Is there anything specific about SSH authentication via a WireGuard interface that differs from a standard VLAN interface?
  • Could there be a RouterOS mechanism beyond firewall rules that restricts management authentication to specific interfaces?
  • Is there any additional configuration needed to make key-only authentication work reliably on 7.22.3?