Community discussions

 
MartinT
newbie
Topic Author
Posts: 26
Joined: Wed Jul 22, 2009 1:28 am
Location: CZ

v5.5 bug: after ssh-keys password login via ssh is blocked

Tue Jul 19, 2011 3:29 am

After adding ssh-keys for user, this user is no more allowed to login via ssh by password. Tested from another RouterOS (simply ask for password again) and from Linux box ("Permission denied, please try again."). Confirmed in v5.4 too.

Another type of login looks working (console and mac-telnet tested).

Don't think it is so bad behaviour, but if this is "feature", users should be noticed somewhere (manual ?) and should have control over it.
MartinT
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: v5.5 bug: after ssh-keys password login via ssh is block

Tue Jul 19, 2011 3:57 am

It is confirmed as a "feature".
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
fabsoft
newbie
Posts: 28
Joined: Wed May 11, 2011 12:20 pm

Re: v5.5 bug: after ssh-keys password login via ssh is block

Thu Jul 21, 2011 12:45 pm

it's a BUG!
all openssh system handle it correctly.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v5.5 bug: after ssh-keys password login via ssh is block

Thu Jul 21, 2011 4:20 pm

What is considered "correct handling"?
 
szuwar
just joined
Posts: 12
Joined: Mon Aug 08, 2011 11:35 am

Re: v5.5 bug: after ssh-keys password login via ssh is block

Mon Aug 08, 2011 11:43 am

And what exactly that "feature" is doing?

making login via ssh worst and harder than any other openssh system ?

user should be able to configure whatever he wants only key or key/password logins - the default should be both

"correct handling" - means default behavior implemented in any other openssh system and considered by users as correct
 
User avatar
jp
Long time Member
Long time Member
Posts: 599
Joined: Wed Mar 02, 2005 5:06 am
Location: Maine
Contact:

Re: v5.5 bug: after ssh-keys password login via ssh is block

Thu Aug 11, 2011 11:35 pm

I'm using 5.6 and noticed similar ssh problems.

Setting up a rb750GL which comes with 5.2ish, I can not use SCP to update the firmware. Have to use FTP. This is regardless of wheter admin has a password assigned yet.

Updated to 5.6 and see the SSH problems discussed here. I don't use the older version, so I can't know for 5.5 or 5.2.

I also put it on a 433ah and see similar.

ssh with keys works and disables ssh access from that host. This isn't a feature. It should only disable access from a user at that host if it were a feature. All users at the remote host can't get in with a password after setting up a key on the MT. keys are for individual accounts on a host, not for the whole host and not for other hosts connecting to admin.

Here's an example where I setup a key on the MT to accept passwordless admin connections from my jp@huehuetenango account. After setting this up, I can not ssh in as admin from anywhere except that username on that host. Other accounts on the same machine also can not connect. Telnet, winbox, ftp, are not affected.
ptyler@huehuetenango:~> ssh admin@69.39.112.241
admin@69.39.112.241's password: 
Permission denied, please try again.
admin@69.39.112.241's password: 
Permission denied, please try again.
admin@69.39.112.241's password: 
Permission denied (password).
ptyler@huehuetenango:~> exit
logout
huehuetenango:~ # exit
logout
jp@huehuetenango:~> ssh admin@69.39.112.241








  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 5.6 (c) 1999-2011       http://www.mikrotik.com/

Property of Midcoast Internet Solutions 2075948277 or www.midcoast.com
Unauthorized access will be prosecuted. 
All Access is logged.
  
[admin@squirrelap] > quit
interrupted
           Connection to 69.39.112.241 closed.
jp@huehuetenango:~> exit
logout
Connection to 10.0.0.7 closed.
jp@travelmug:~> ssh admin@69.39.112.241
admin@69.39.112.241's password: 
Permission denied, please try again.
admin@69.39.112.241's password: 
Permission denied, please try again.
admin@69.39.112.241's password: 
Permission denied (password).
jp@travelmug:~> 
It is also worth mentioning as others have that using keys should not prevent password access; thats the way the old 4.x and 3.x routerOS works.

I use keys for automated access (backups locking and unlocking customers, things you can't do with snmp, etc...) and password access ssh is used for interactive staff use.

Also a bug related to this is that it does not log these failed ssh access attempts. This last problem inclines my mind to think it's not a feature.
 
rotten777
Frequent Visitor
Frequent Visitor
Posts: 98
Joined: Thu Dec 17, 2009 5:21 am

Re: v5.5 bug: after ssh-keys password login via ssh is block

Mon Aug 15, 2011 5:23 pm

Is there a way to disable this feature?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: v5.5 bug: after ssh-keys password login via ssh is block

Mon Aug 15, 2011 5:26 pm

Nope.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: v5.5 bug: after ssh-keys password login via ssh is block

Tue Aug 16, 2011 10:11 am

change was made in 5.0rc2. Where changelog message explained - if ssh-key is set, logins using password are disabled. Feature is there, that if you feel like having keys for router login less secure option is not used. That is security measure.

We are considering different options for this, but currently it will stay as it is.
 
MartinT
newbie
Topic Author
Posts: 26
Joined: Wed Jul 22, 2009 1:28 am
Location: CZ

Re: v5.5 bug: after ssh-keys password login via ssh is block

Tue Aug 16, 2011 10:54 am

change was made in 5.0rc2. Where changelog message explained - if ssh-key is set, logins using password are disabled. Feature is there, that if you feel like having keys for router login less secure option is not used. That is security measure.
Thank you for pointing me to CHANGELOG, I found it in 5.0beta5 changes (mentioned 5.0rc2 does not speak about ssh at all). IMHO it should be presented to users as feature, best place is manual. Nice will be to give users control over it => feature request.
MartinT
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v5.5 bug: after ssh-keys password login via ssh is block

Tue Aug 16, 2011 11:59 am

It is already added in the manual as a warning
http://wiki.mikrotik.com/wiki/Manual:Ro ... A#SSH_Keys
 
rotten777
Frequent Visitor
Frequent Visitor
Posts: 98
Joined: Thu Dec 17, 2009 5:21 am

Re: v5.5 bug: after ssh-keys password login via ssh is block

Tue Aug 16, 2011 3:08 pm

change was made in 5.0rc2. Where changelog message explained - if ssh-key is set, logins using password are disabled. Feature is there, that if you feel like having keys for router login less secure option is not used. That is security measure.
Thank you for pointing me to CHANGELOG, I found it in 5.0beta5 changes (mentioned 5.0rc2 does not speak about ssh at all). IMHO it should be presented to users as feature, best place is manual. Nice will be to give users control over it => feature request.

I second that as a feature request.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: v5.5 bug: after ssh-keys password login via ssh is block

Tue Aug 16, 2011 3:56 pm

yes we are considering that and assessing consequences. At the moment you can add several certificates for each account, aslo, it is possible to add private key to log through ssh from one router to another with the key.

IMHO - password authentication alone is bad thing, should use key with authorisation.
 
User avatar
jp
Long time Member
Long time Member
Posts: 599
Joined: Wed Mar 02, 2005 5:06 am
Location: Maine
Contact:

Re: v5.5 bug: after ssh-keys password login via ssh is block

Tue Aug 16, 2011 7:34 pm

It's kinda foolish to block password ssh login (when keys are used), but still allow telnet and ftp access out-of-the-box if better-than-password security is indeed the goal. Since I can't scp a file, I'll ftp it instead.

It's a worthwhile option, but shouldn't replace the way it's been done.

I use the firewall to block ssh, telnet, and ftp from everywhere but my own networks. It's only a couple of lines to setup.
 
rotten777
Frequent Visitor
Frequent Visitor
Posts: 98
Joined: Thu Dec 17, 2009 5:21 am

Re: v5.5 bug: after ssh-keys password login via ssh is block

Tue Aug 16, 2011 11:06 pm

yes we are considering that and assessing consequences. At the moment you can add several certificates for each account, aslo, it is possible to add private key to log through ssh from one router to another with the key.

IMHO - password authentication alone is bad thing, should use key with authorisation.
I agree but I have over 30 locations with Mikrotik routers and if I happen to somehow be without my laptop or home workstation, I don't have my DSA key handy to ssh in to fix problems. It limits my travel ;)
 
virtman
newbie
Posts: 31
Joined: Mon Dec 12, 2016 11:31 am

Re: v5.5 bug: after ssh-keys password login via ssh is blocked

Wed Dec 28, 2016 9:09 am

Hi,

I can't understand why this limitation is included. I agree to have available the option to "disable passwords when ssh-keys", but as an option.

So, please can you add the option for enable/disable this functionality?
 
teamer
just joined
Posts: 21
Joined: Mon Sep 12, 2016 9:18 am

Re: v5.5 bug: after ssh-keys password login via ssh is blocked

Wed Dec 28, 2016 9:24 am

What RouterOS version are you using?
In contemporary ones
/ip ssh set always-allow-password-login=yes
 
virtman
newbie
Posts: 31
Joined: Mon Dec 12, 2016 11:31 am

Re: v5.5 bug: after ssh-keys password login via ssh is blocked

Wed Jan 04, 2017 10:14 am

Hi Teamer,

Thanks a lot! This is that I need... and referenced at http://wiki.mikrotik.com/wiki/Manual:IP/SSH
The problem is that isn't in Winbox, and it's poorly described.

Regards.
 
asmpro
just joined
Posts: 1
Joined: Mon Nov 20, 2017 10:00 am

Re: v5.5 bug: after ssh-keys password login via ssh is blocked

Mon Nov 20, 2017 10:04 am

I find this behavior extremely strange. You should have some on/off switch for this feature you call it, or at least comply with the SSH protocol and not offering password authentication it this case.
Here is the output of debug openssh client session:
debug1: Authentications that can continue: publickey,password

Regards.
 
LaKing
just joined
Posts: 15
Joined: Fri Oct 05, 2018 5:56 am

Re: v5.5 bug: after ssh-keys password login via ssh is blocked

Tue Oct 29, 2019 5:54 am

This "feature" does not really make sense.

At least webfig works with the password.

The workaround is to have an ssh user with keys set, and another ssh user with a password and no keys to be used with ssh.
.. Weird ...
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: v5.5 bug: after ssh-keys password login via ssh is blocked

Tue Oct 29, 2019 11:55 am

https://wiki.mikrotik.com/wiki/Manual:IP/SSH#Settings
always-allow-password-login (yes | no; Default: no)

Whether to allow password login at the same time when public key authorization is configured.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.

Who is online

Users browsing this forum: MSN [Bot] and 118 guests