Community discussions

 
ofirule
just joined
Topic Author
Posts: 15
Joined: Tue Mar 26, 2019 6:19 pm

ssh from routeros to linux server

Tue May 28, 2019 2:46 pm

I am trying to ssh from routeros ver 6.44.3 to an ubuntu 16.04 linux server with no success

the following command works from any linux machine:
ssh -i my_private_key.pem ubuntu@myhost

I tried many variations on my routeros machine without success.

I guessed the following would work:
/user group add name=remote policy=ssh,read,write
/user add name=ubuntu group=remote password=Sup3rStr0ngPassw0rd
/user ssh-keys private import user=ubuntu private-key-file=my_private_key.pem public-key-file=my_public_key.pem passphrase=""
/system ssh address=myhost user=ubuntu src-address=mysrc

but I get back to the routeros terminal with the message "Welcome back!", instead of getting to my remote host
 
sindy
Forum Guru
Forum Guru
Posts: 3984
Joined: Mon Dec 04, 2017 9:19 pm

Re: ssh from routeros to linux server

Tue May 28, 2019 11:52 pm

You can always add a logging item for ssh - /system logging add topics=ssh to see what went actually wrong.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ofirule
just joined
Topic Author
Posts: 15
Joined: Tue Mar 26, 2019 6:19 pm

Re: ssh from routeros to linux server

Wed May 29, 2019 3:43 pm

I think I found a bug:
Basically I think the user flag in the /system ssh command is not working
and it also doesn't auto complete with available options


consider having the following user:
/user group add name=remote policy=ssh,read,write
/user add name=ubuntu group=remote password=Sup3rStr0ngPassw0rd
/user ssh-keys private import user=ubuntu private-key-file=my_private_key.pem public-key-file=my_public_key.pem passphrase=""
/system ssh address=myhost user=ubuntu src-address=mysrc

scenario 1 :
ssh admin@192.168.88.1
[admin@MikroTik] > system ssh myhost user=ubuntu                      

Welcome back!
# ssh from routeros not working

scenario 2:
ssh ubuntu@192.168.88.1
[ubuntu@MikroTik] > system ssh myhost
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-1083-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

135 packages can be updated.
0 updates are security updates.

New release '18.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: *****
ubuntu@ip-*****:~$ 
# ssh from routeros working
 
McSee
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Tue Feb 26, 2019 12:49 pm

Re: ssh from routeros to linux server

Wed May 29, 2019 4:56 pm

I think I found a bug:
Basically I think the user flag in the /system ssh command is not working
and it also doesn't auto complete with available options
user parameter is used to specify remote user name, not the local one. Hence no autocomplete - no way for your mikrotik to obtain user list from remote system.
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: ssh from routeros to linux server

Wed May 29, 2019 5:07 pm

Are you saying we need to reprogram/code the user? ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3984
Joined: Mon Dec 04, 2017 9:19 pm

Re: ssh from routeros to linux server

Wed May 29, 2019 5:31 pm

I think I found a bug:
Basically I think the user flag in the /system ssh command is not working
and it also doesn't auto complete with available options
user parameter is used to specify remote user name, not the local one. Hence no autocomplete - no way for your mikrotik to obtain user list from remote system.
The whole concept of using keys to authenticate ssh users to remote systems is that each local (in this case, Mikrotik) user has his "personal" key which he uses to authenticate himself as he connects to any remote system. To use the user parameter of /system ssh would break the idea that each user can only use its own "identity" (represented by the key) to authenticate himself to the remote system.

So the correct approach is to create own key for each Mikrotik user which will be connecting to some user account on the remote server, and deliver the public keys of all the users to the remote server for access to those of its user accounts which should accept it.

The only purpose of the user parameter of /system ssh is to set the remote user name; by omitting it you tell the system to use the local user name for this purpose.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
wise0tamas
just joined
Posts: 14
Joined: Sun Oct 03, 2010 1:12 am

Re: ssh from routeros to linux server

Wed May 29, 2019 5:55 pm

I tried many variations on my routeros machine without success.

I guessed the following would work:
/user group add name=remote policy=ssh,read,write
/user add name=ubuntu group=remote password=Sup3rStr0ngPassw0rd
/user ssh-keys private import user=ubuntu private-key-file=my_private_key.pem public-key-file=my_public_key.pem passphrase=""
/system ssh address=myhost user=ubuntu src-address=mysrc

but I get back to the routeros terminal with the message "Welcome back!", instead of getting to my remote host
You guessed it right :)
If you are logged in to RouterOS with local user "ubuntu", then you have access to the private ssh key, with which you can then login to any (linux, RouterOS, other) host if that ssh key is authorized to log in.
If you are logged in to RouterOS with another user (like admin), then you are not using the private key, which is only available to the RouterOS user you previously imported it to.

Who is online

Users browsing this forum: Google [Bot] and 97 guests