Community discussions

 
w0lt
Member
Member
Topic Author
Posts: 484
Joined: Wed Apr 02, 2008 2:12 pm
Location: Minnesota USA

RouterOS 6.30rc17

Thu Jun 11, 2015 4:54 pm

As with RouterOS 6.30rc13, the current beta release 6.30rc17 (SMIPS) does not have a wireless driver in the "All Architectures" zip package.

-tp
MTCNA - 2011

" The Bitterness of Poor Quality Remains Long After the Sweetness of Low Price is Forgotten "

Image
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2287
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 9:23 am

LAN, FTTx, Wireless. ISP operator
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24212
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 9:48 am

yes
No answer to your question? How to write posts
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 3:00 pm

*) ssh - added option '/ip ssh stong-crypto'
I suppose this should read strong-crypto, no? What exactly does this change?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 3:19 pm

*) ssh - added option '/ip ssh stong-crypto'
I suppose this should read strong-crypto, no? What exactly does this change?

it makes SSH connections more secure. SHA256 instead of SHA1 and MD5 is kicked out, longer DH, cipher-less connections are not allowed (one where you set cihpers=none) and stronger ciphers are preferred by the ssh server.

makes your SSH connection to the router slower :) due to better encryption. As most users do not require this (like managing routers from local area network) then old settings are deemed to have adequate security. Those that require higher security now can have it.

p.s. it is called '/ ip ssh strong-crypto' there is a typo in the changelog.
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 3:24 pm

*) ssh - added option '/ip ssh stong-crypto'
I suppose this should read strong-crypto, no? What exactly does this change?
it makes SSH connections more secure. SHA256 instead of SHA1 and MD5 is kicked out, longer DH, cipher-less connections are not allowed (one where you set cihpers=none) and stronger ciphers are preferred by the ssh server.

makes your SSH connection to the router slower :) and slower due to better encryption. As most users do not require this (like managing routers from local area network) then old settings are deemed to have adequate security. Those that require higher security now can have an option to have it.

p.s. yes it is called '/ ip ssh strong-crypto' there is a type in the changelog.
Ah, really nice! Thanks! :D

Looks like this still does not bring suppport for RSA (or even ed25519), though.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS 6.30rc17

Fri Jun 12, 2015 3:43 pm

RSA and for that matter ed25519 is not just a matter of flip-a-switch to enable them. We have to actually implement it. RSA currently is accepted as a feature request. Is not of a high priority.
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Wed Jul 01, 2015 9:10 am

RSA and for that matter ed25519 is not just a matter of flip-a-switch to enable them. We have to actually implement it. RSA currently is accepted as a feature request. Is not of a high priority.
Just a quick heads-up on this topic. OpenSSH 6.9 has been released. The announcement lists some features that will be run-time disabled by default with the release of OpenSSH 7.0 in July:
* Support for ssh-dss, ssh-dss-cert-* host and user keys will be run-time disabled by default.
You will still be able to enable it, but the default configuration will fail with RouterOS devices.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
rpr
just joined
Posts: 12
Joined: Mon Oct 24, 2011 4:47 pm

Re: RouterOS 6.30rc17

Fri Jul 10, 2015 8:08 pm

p.s. it is called '/ ip ssh strong-crypto' there is a typo in the changelog.
On v. 6.30 I've tried to run that command but it gives an error:
> /ip ssh strong-crypto
bad command name strong-crypto (line 1 column 9)
I have the following packages enabled: advanced-tools, routeros-mipsbe, routing, security, system.
What could be the problem?

-- rpr.
 
User avatar
grusu
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: RouterOS 6.30rc17

Sat Jul 11, 2015 12:17 am

/ip ssh set strong-crypto
 
rpr
just joined
Posts: 12
Joined: Mon Oct 24, 2011 4:47 pm

Re: RouterOS 6.30rc17

Sun Jul 12, 2015 12:54 am

I'm still getting an error:
> /system identity export
# jul/11/2015 23:49:35 by RouterOS 6.30
# software id = JLR6-SIQJ
#
/system identity
set name=gw.example.com

> /ip ssh set ?
Change properties of one or several items.

always-allow-password-login -- allow password login when public key authorization is configured
forwarding-enabled -- allows clients to connect to remote ports from server
strong-crypto -- use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones


> /ip ssh set strong-crypto
expected end of command (line 1 column 13)
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Mon Jul 20, 2015 9:51 am

RSA and for that matter ed25519 is not just a matter of flip-a-switch to enable them. We have to actually implement it. RSA currently is accepted as a feature request. Is not of a high priority.
Just a quick heads-up on this topic. OpenSSH 6.9 has been released. The announcement lists some features that will be run-time disabled by default with the release of OpenSSH 7.0 in July:
* Support for ssh-dss, ssh-dss-cert-* host and user keys will be run-time disabled by default.
You will still be able to enable it, but the default configuration will fail with RouterOS devices.
Changes have been committed to git. Current development version can not connect to RouterOS devices:
% git describe
V_6_9_P1-32-gd56fd18
% ./ssh host
ssh_dispatch_run_fatal: Connection to XX.XX.XX.XX: no matching host key type found
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RouterOS 6.30rc17

Thu Jul 30, 2015 1:49 pm

Starting with RouterOS 6.31rc10 we have support for RSA keys! Thanks a lot Mikrotik!
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts

Who is online

Users browsing this forum: No registered users and 85 guests