current options are:
- use password
- use key-pair
- use both
default is use password - when you set account password in RouterOS you can use that password to log in using that user via any of the services (API, winbox, webfig, telnet, SSH)
use key-pair - only available for ssh login, when key is set for the user password login via SSH is disabled. that is also part of default behaviour
use both - in '/ip ssh' you can allow to use password login if you have set key-pair for the user.
I presume you're talking about the always-allow-password-login
option (set by default to no
) for the second method (use key-pair).
Ok, let's assume that a key has been added to the user and that option is set to no
(I've never touched it, it's still set to no
). Then how would you explain this debug log
, taken on one of my computers with the ssh client? I haven't provided the valid key intentionally to see if it works like is should and yet, the SSH service asks for the password not once, but whole three times
. Well, why would it ask for a password, if that method (combined with the above option, set to no
) is suppose to be disabled?
If you really don't understand what I'm trying to tell you, check here
for reference (4. Disabling Authentication by password
So, what am I experiencing - a feature or a bug?