Using ssh with key between Mikrotik Routers

RouterOS General
1

How to make a connection between Mikrotik using ssh and a key?
How to add an encryption key in SSH Client on Mikrotik when connecting?

/system ssh 192.168.1.1 user=admin “/system reboot”; #Asks for a password=(

P.S. Key for user added on second Mikrotik…

2

https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login)

What may not be obvious:

  • the client (where you run the /system ssh … command) always uses the key of the user under which the command was issued, so in your case, of the user under which the script is running
  • the server searches the list of client keys associated to the local user name to which the client logs

So if you run the “ssh-ing” script on the client device as/under user cccc, but the ssh command logs as user ssss to the server (user=ssss):

  • at client, you have to import the private key from the generated pair for use by user cccc (so a single one will be used by cccc when logging anywhere)
  • at server, you have to import the public key from the generated pair for use by user ssss (so multiple public keys, each authenticating a distinct remote client, may be stored)

As of current, RouterOS doesn’t feature RSA or DSA key generation (except its own key it uses when acting as SSH server), nor modification (such as removal of passphrase). So you have to generate the key pair externally (linux, bsd), you must generate it without a passphrase, and you must make sure no one can intercept the private one in transfer, so use SCP if you need to upload it over network.

3

I performed Key Generation using puttygen utility, as a result I received 2 keys, one imported into Mikrotik and tied it to the user.
I specify the second when connecting via ssh in putty.
How do I specify the key that I specify when connecting to ssh client in Mikrotik when connecting?
Can you give an example?

4



  1. the two key files have unambiguous names representing their roles in the scheme:
  • the one the client uses to authenticate itself to the server is the private key,
    • the one the server uses to verify the client is the public key.
      So use these names instead of “first” and “second”, it’s almost the same amount of typing and much less confusion.
  1. as you say you have imported “one” into Mikrotik whereas in your OP you talk about two Mikrotiks and now you talk about PuTTY as client and Mikrotik as server, I assume that you have imported the public one to the Mikrotik server (which is correct), and that you can authenticate using the private key when using PuTTY as client (it would not work if you applied them the wrong way).


That’s the point I’ve tried to explain above. Unlike with PuTTY, or with ssh on unix-like systems, you cannot explicitly specify a private key to be used for a given connection; each user account on the client Mikrotik has a single private key associated to it, and this key is used when connecting to any remote server while logged in locally as that user. So the matching public key must be imported to each server before the local user can log in to it this way. This is how it normally works on unix-like systems too, except that in special cases you can override the default private key for the user. Hence follow point 7) of the wiki article I’ve linked above at the Mikrotik which you intend to use as ssh client; just substitute the user name remote by the name of the user under which the /system ssh comand will be issued. And don’t ask me why you have to upload and import also the public key in addition to the private one to the client Mikrotik, I have no idea.

It feels like a limitation that you cannot choose from several keys, but in fact you should normally not need that since you can import multiple public keys to each server.