Community discussions

MikroTik App
 
User avatar
petrb
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Thu Jan 26, 2017 4:17 pm

SSH login with certs only

Wed Jul 18, 2018 10:23 am

Hi, Is it possible to disable ssh password login to MikroTik routeros?

SSH Example:
- user "admin" with password
- the public part of my private key computer was successfully added ("/ip ssh import-host-key private-key-file")
- login to mk with cert is fully working

Question:
- How to disable SSH logins without certs. (how to disable users password logins)

Thanks
Petr
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 294
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: SSH login with certs only

Wed Jul 18, 2018 10:31 am

 
User avatar
petrb
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Thu Jan 26, 2017 4:17 pm

Re: SSH login with certs only

Wed Jul 18, 2018 12:57 pm

I allready read wiki. There is no option that can disable password login. Please read my post carefully. Thanks
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26290
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: SSH login with certs only

Wed Jul 18, 2018 1:42 pm

What is your "always-allow-password-login" set to? That is in the manual, linked above.
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 294
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: SSH login with certs only

Wed Jul 18, 2018 2:11 pm

There is no option that can disable password login.
really?
 
User avatar
petrb
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Thu Jan 26, 2017 4:17 pm

Re: SSH login with certs only  [SOLVED]

Wed Jul 18, 2018 2:31 pm

Sorry, my mistake - ALL WORKS. I expect different behavior.

[admin@HlavniRouter] > /ip ssh print
always-allow-password-login: no

SSH from Kubuntu to ROS:
- login with certs all works
- login without cers => PASSWORD is prompted, but NOT ACCEPTED (this made me mistaken)

- SSH from Kubuntu to another OpenSSH
- login with certs ok, password login disabled ....
- login without certs generate => "Permission denied (publickey)." message is displayed

Thanks for all answers and many thanks to all. Please close this thread.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: SSH login with certs only

Wed Jul 18, 2018 2:37 pm

Sorry for interfering, but the name and explanation of that item in the manual is so unclear that myself I wouldn't dare to refer to it without an additional explanation.

What are the conditions which must be met so that the password authentication would be disabled? Once you import a key for a given user, it means that that very user cannot log in using a password authentication any more if the always-allow-password-login is set to no? Or as soon as you import a key for a single user, password authentication is disabled for everbody? Or it works like in linux sshd and it only affects root (i.e. admin here)? I mean, there is so much space for speculation that I would be afraid to try, assuming I might ban myself from access to the router via ssh.
 
User avatar
petrb
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Thu Jan 26, 2017 4:17 pm

Re: SSH login with certs only

Wed Jul 18, 2018 2:47 pm

Yes, I agree, wiki page can be more specific:

"/ip ssh set always-allow-password-login="
NO => when "user" have added public key, then you cannot log in with the password for a specific user, only cert (password prompt is still showing, but not accept password)
YES => you can connect to user account with password or certificate
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: SSH login with certs only

Wed Jul 18, 2018 3:58 pm

Nice to now. It has annoyed me that I need to login with a cert.
Looked everywhere in the GUI, but could not find anything.
Then the always-allow-password-login solved it.
Strange that /Ip SSH is missing for webgui/winbox
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSH login with certs only

Wed Jul 18, 2018 4:15 pm

It was discussed in the past:

Passwordless ssh login

It's sort of a cosmetic bug, password prompt is always there, even for users with keys, where it can't succeed.

Who is online

Users browsing this forum: aoravent, Lumpy and 98 guests