Community discussions

MikroTik App
 
leveche
just joined
Topic Author
Posts: 1
Joined: Fri Jul 23, 2021 12:28 am

more modern ssh in routerOS please

Wed Aug 04, 2021 1:46 am

Hi All,

This is my first post to the forum, and since it involves a bit of a rant, I'd like to prefix it with 'I heart mikrotik'. I've used rb3011 and rb4011 for a couple of years now, and deeply impressed with the feature/price ratio.

Ok, here's the rant: modern ssh clients refuse to work with mikrotik, because its crypto is woefully old: the only available key types are ssh-DSA, which has been deprecated since 2015, and ssh-RSA, signed with SHA-1, which also has been deprecated for over a year now.

I understand that backwards-compatibility matters, and, if mikrotik were to simply port a modern openSSH, many clients would be forced to rekey. But if routerOS 7 is already introducing sweeping changes, this is surely a better time than a point release, which could catch users off-guard. Now is the time to get the latest openssh, with EC crypto and support for signed certificates. The alternative is to force the use of broken security, while the desktop OS vendors upgrade ssh client to a version that is no longer interoperable.

Those of us who rely on CLI management of our routers, particularly those with automated configuration management such as ansible, really need working ssh on the routers.
Best
Lev
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: more modern ssh in routerOS please

Wed Aug 04, 2021 9:20 pm

No SSH guru, just pointing out that there is SSH strong! Is it any good is another question??

strong-crypto (yes | no; Default: no) Use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones:
prefer 256 and 192 bit encryption instead of 128 bits;
disable null encryption;
prefer sha256 for hashing instead of sha1;
disable md5;
use 2048bit prime for Diffie Hellman exchange instead of 1024bit.
 
Swordforthelord
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Jul 08, 2010 10:18 pm

Re: more modern ssh in routerOS please

Thu Aug 05, 2021 7:16 pm

From the terminal, use the command:
ip ssh set strong-crypto=yes
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: more modern ssh in routerOS please

Thu Aug 05, 2021 7:35 pm

From the terminal, use the command:
ip ssh set strong-crypto=yes
Hasn't @anav already written it?
And also explained what happen with that options set to yes
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: more modern ssh in routerOS please

Thu Aug 05, 2021 7:45 pm

@leveche does it work now if you change strong-crypto=yes ?
 
Swordforthelord
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Thu Jul 08, 2010 10:18 pm

Re: more modern ssh in routerOS please

Thu Aug 05, 2021 7:57 pm

From the terminal, use the command:
ip ssh set strong-crypto=yes
Hasn't @anav already written it?
And also explained what happen with that options set to yes
Yes, he wrote what the command was and yes he explained what it would do but he did not specify exactly where the command was located in the CLI structure. My post clarified that.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: more modern ssh in routerOS please

Thu Aug 05, 2021 8:13 pm

Bravo.
 
oreggin
Member Candidate
Member Candidate
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

Re: more modern ssh in routerOS please

Wed Oct 20, 2021 10:23 am

Now, with OpenSSH v8.8p1 I can't use RSA pubkey auth as in this version it is disabled by default and I need to workaround in .ssh/config with
PubkeyAcceptedKeyTypes +ssh-rsa
to able to connect. Moreover still only RSA pubkey auth is supported in RC4, which is the first generation key type. The second generation DSA is deprecated, the third gen ECDSA is not widely spreaded and the fourth gen ED25519 is still not available in RouterOS.
So where ahead?
Last edited by oreggin on Thu Oct 21, 2021 2:51 pm, edited 1 time in total.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: more modern ssh in routerOS please

Wed Oct 20, 2021 4:12 pm

I opened a feature ticket about this (SUP-61929) that was not yet answered... Neither positive nor negative. Let's hope they are working on support for ed25519 keys.
(I'm kind of optimistic, they always followed openssh deprecations in the past.)
 
arfoll
newbie
Posts: 28
Joined: Mon Sep 24, 2012 8:24 pm

Re: more modern ssh in routerOS please

Sat Oct 30, 2021 7:25 pm

Thanks for the tip about the ssh config - this is something which will get more and more painful if not updated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: more modern ssh in routerOS please

Sun Oct 31, 2021 2:10 am



Hasn't @anav already written it?
And also explained what happen with that options set to yes
Yes, he wrote what the command was and yes he explained what it would do but he did not specify exactly where the command was located in the CLI structure. My post clarified that.
Good point!!
Boggles my mind they dont simply make it an option on IP Services SSH page and defaulted to YES.
....
ssh1.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: more modern ssh in routerOS please

Sun Oct 31, 2021 3:26 pm

....Ok, here's the rant: modern ssh clients refuse to work with mikrotik, because its crypto is woefully old....
What ssh client do you use? Why do you call it modern if it can't use old ciphers? It could/should compalin but dropping support in such a tool is a shame. Why not to drop telnet support? Should they drop support for serial port as its so old?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: more modern ssh in routerOS please

Sun Oct 31, 2021 4:59 pm

....Ok, here's the rant: modern ssh clients refuse to work with mikrotik, because its crypto is woefully old....
What ssh client do you use? Why do you call it modern if it can't use old ciphers? It could/should compalin but dropping support in such a tool is a shame. Why not to drop telnet support? Should they drop support for serial port as its so old?

Ssh clients mentioned did not drop support for old algorithms, they are discouraging their use in default config. It is fairly easy to allow them as was mentioned in previous posts.
 
oreggin
Member Candidate
Member Candidate
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

Re: more modern ssh in routerOS please

Wed Nov 03, 2021 7:01 am

....Ok, here's the rant: modern ssh clients refuse to work with mikrotik, because its crypto is woefully old....
What ssh client do you use? Why do you call it modern if it can't use old ciphers? It could/should compalin but dropping support in such a tool is a shame. Why not to drop telnet support? Should they drop support for serial port as its so old?
OpenSSH and other SSH clients follows the new standards to provide more and more secure way to prevent unauthorized access to our devives. I think this is a common interest.
In ip ssh strong crypto option enable stronger ciphers but not enable stronger pubkey signature checking algos like SHA256/512-RSA and in OpenSSH 8.8 SHA1-RSA is deprecated and removed from default config.
As I said only first generation RSA pubkey auth method supported in ROS however we are at fourth generation ED25519. ROS can't recognize ECDSA nor ED25519 pubkey.
We have some APC UPS which has really old MGMT cards without able to SW update. At a point we will can't login into these devices with up-to-date SSH clients or web browsers. Unfortunately we need to operating ancient OSes to able to login into these devices or we need to disable the secure login methods, and using HTTP and telnet.
I wouldn't like to if ROS would get this far.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: more modern ssh in routerOS please

Wed Nov 03, 2021 8:36 am

At a point we will can't login into these devices with up-to-date SSH clients or web browsers. Unfortunately we need to operating ancient OSes to able to login into these devices or we need to disable the secure login methods

You're spreading mild version of FUD. Even modern SSH clients (up to the version I can see) can connect to ancient SSH servers if one adds some options to ssh client command, e.g.
ssh -o "HostKeyAlgorithms +ssh-dss" -o "KexAlgorithms +diffie-hellman-group1-sha1" <user>@<ancient_ssh_server>

But really ... SSH server in ROS 6.48.4 supports slightly newer algorithms: KEX algorithm diffie-hellman-group-exchange-sha256 and host key algorithms rsa-sha2-256 (the ssh-rsa was deprecated in recent openssh versions). So unless your openssh installation doesn't deprecate too many older algorithms (it's system-wide configuration so maintainer of ssh client installation can change defaults) you should still be able to connect to recent ROS versions without too much fuss.

Just to be clear: I'm not saying that MT should not include a more modern implementation of SSH server in ROS ... I'm just saying that things are not as bleak as they might seem.
 
oreggin
Member Candidate
Member Candidate
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

Re: more modern ssh in routerOS please

Wed Nov 03, 2021 2:59 pm

Sure, this is not a big problem, but many of us noticed "I can't login into my device which was worked yesterday". And some of us starts thinking "Some bad guy cracked it, or not?". In security, you have never be too careful.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: more modern ssh in routerOS please

Wed Nov 03, 2021 3:24 pm

Sure, but then ... is anybody (except me? ;-) ) checking all the change-logs before blindly upgrading software? I mean ... it's ssh client upgrade which breaks things "that worked yesterday" and if one does one thing at a time, it would be pretty obvious, wouldn't it? Except for the part "OMG, my router got hacked".
 
oreggin
Member Candidate
Member Candidate
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

Re: more modern ssh in routerOS please

Wed Nov 03, 2021 5:40 pm

Sure, but then ... is anybody (except me? ;-) ) checking all the change-logs before blindly upgrading software? I mean ... it's ssh client upgrade which breaks things "that worked yesterday" and if one does one thing at a time, it would be pretty obvious, wouldn't it? Except for the part "OMG, my router got hacked".
:-D nah ok, stay at the topic
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: more modern ssh in routerOS please

Wed Nov 03, 2021 6:28 pm

No wait............... what about the amazing graphic where Strong Crypto selection is available on winbox Gui!! ;-)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: more modern ssh in routerOS please

Wed Nov 03, 2021 7:37 pm

No wait............... what about the amazing graphic where Strong Crypto selection is available on winbox Gui!! ;-)
It's already there but you can't see it because icon is only displayed by winbox gui if crypto library on your PC supports the 2025-era state-of-art cryptography. :wink:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: more modern ssh in routerOS please

Wed Nov 03, 2021 7:53 pm

Ive got 2030 SSH on my PC. To be fair I time travelled to 2035 and bought a used PC.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: more modern ssh in routerOS please

Wed Nov 03, 2021 8:36 pm

Too far in the future ... 2025 crypto will be deprecated in 2030.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: more modern ssh in routerOS please

Tue Nov 16, 2021 3:33 pm

Received an answer to my feature request for ed25519 keys (SUP-61929):
Thank you for your feedback. We will consider adding this feature in the future.
Definitely not a "no". 😜
Open your own feature request in support portal, possibly it helps.

Who is online

Users browsing this forum: No registered users and 18 guests