Community discussions

 
minfrin
newbie
Topic Author
Posts: 37
Joined: Sat May 09, 2009 2:20 am

How do you use ssh agent forwarding on the routeros ssh client?

Thu Nov 15, 2018 7:35 pm

Hi all,

I have routerboard B, that I need to ssh to via routerboard A. All user accounts are protected by SSH keys.

I am struggling to get ssh agent forwarding to work. When I log into routerboard A I can log into successfully, but when I log into routerboard B I am asked for a password, when I should log in automatically using agent forwarding.

The AllowAgentForwarding option on the sshd server makes this happen, how do I switch this on?

Regards,
Graham
--
 
lambert
Long time Member
Long time Member
Posts: 526
Joined: Fri Jul 23, 2010 1:09 am

Re: How do you use ssh agent forwarding on the routeros ssh client?

Fri Nov 16, 2018 1:37 am

It is not an option.

The options are:
/ip ssh set                    
Change properties of one or several items.

always-allow-password-login -- allow password login when public key authorization is configured
forwarding-enabled -- allows clients to connect to remote ports from server
host-key-size -- RSA key size when host key ir regenarated
strong-crypto -- use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones
I suppose you could port forward to the second router and connect to it directly from your workstation on the non-standard port, but that may not be allowed due to management policy.
 
minfrin
newbie
Topic Author
Posts: 37
Joined: Sat May 09, 2009 2:20 am

Re: How do you use ssh agent forwarding on the routeros ssh client?

Fri Nov 16, 2018 12:43 pm

How do I get this supported by Mikrotik?

We have a strict no password policy, and the inability to forward keys make it difficult for us to enforce that policy.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: How do you use ssh agent forwarding on the routeros ssh client?

Fri Nov 16, 2018 3:04 pm

use SSH ProxyCommand to set up SSH login to hosts that are behind the other SSH host.
 
minfrin
newbie
Topic Author
Posts: 37
Joined: Sat May 09, 2009 2:20 am

Re: How do you use ssh agent forwarding on the routeros ssh client?

Mon Nov 19, 2018 12:18 pm

Unfortunately port forwarding (whether using the command line or config) only allows you to jump one step past a mikrotik, and is therefore not useful in a secure environment.

Can you confirm when SSH agent forwarding will be supported?
 
lambert
Long time Member
Long time Member
Posts: 526
Joined: Fri Jul 23, 2010 1:09 am

Re: How do you use ssh agent forwarding on the routeros ssh client?

Mon Nov 19, 2018 7:01 pm

If you don't want to wait, VPNs, with as much crypto as SSH, are available now. I have run VPNs inside VPNs to get inside multiple layers of firewalls.
 
kiwibrew
just joined
Posts: 8
Joined: Tue Oct 04, 2011 3:08 am

Re: How do you use ssh agent forwarding on the routeros ssh client?

Fri Mar 22, 2019 4:39 am

This is also important to me. Since shifting to 100% keys this has made it very, very difficult to work with some VPN-connected devices.
 
HouleJm
just joined
Posts: 2
Joined: Fri Mar 22, 2019 7:49 am

Re: How do you use ssh agent forwarding on the routeros ssh client?

Fri Mar 22, 2019 7:52 am

Hi all,

I have routerboard B, that I need to ssh to via routerboard A. All user accounts are protected by SSH keys.

I am struggling to get ssh agent forwarding to work. When I log into routerboard A I can log into successfully, but when I log into routerboard B I am asked for a password, when I should log in automatically using agent forwarding.

The AllowAgentForwarding option on the sshd server makes this happen, how do I switch this on?

Regards,
Graham
--
It allows you to use your local SSH keys instead of leaving keys without passphrases sitting on your server.
 
User avatar
eworm
Member
Member
Posts: 340
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: How do you use ssh agent forwarding on the routeros ssh client?

Fri Mar 22, 2019 5:21 pm

You can use your Mikrotik devices as Jumphost. Just search for this keyword for details.

Example for openssh command line client:
ssh -J Mikrotik-A Mikrotik-B
You can use a chain with more than one jumphost.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
HouleJm
just joined
Posts: 2
Joined: Fri Mar 22, 2019 7:49 am

Re: How do you use ssh agent forwarding on the routeros ssh client?

Sat Mar 23, 2019 1:25 pm

Let's configure and test SSH forwarding using github as remote service to pull our code into the host MyBKExperience.

Who is online

Users browsing this forum: No registered users and 48 guests