Community discussions

 
upower3
Member
Member
Topic Author
Posts: 381
Joined: Thu May 07, 2015 11:46 am

6.43 change in login process and API libraries?

Thu Jul 05, 2018 12:16 pm

As I can see in 6.43rc changelog, there'll be very strange (ok, unexpected) news:
!) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
In fact, the login process should send login data differently:

Pre-6.43 login looks like this:
/login
 !done
=ret=ebddd18303a54111e2dea05a92ab46b4
/login
=name=admin
=response=001ea726ed53ae38520c8334f82d44c9f2
 !done
6.43+ process should be like this:
/login
=name=admin
=password=
 !done
Dispute the general idea if the change is necessary at all, I expect all old API libraries (see https://wiki.mikrotik.com/wiki/Manual:API#API_examples) become obsolete, isn't it?

So my question is, will there be a way to keep login process as it was before? And, will there be any recommended changes to API libs to reflect these two different way of login and how API lib can tell the difference to choose right way while login?
 
highonsnow
newbie
Posts: 34
Joined: Fri Oct 19, 2007 3:30 am

Re: 6.43 change in login process and API libraries?

Wed Sep 12, 2018 4:28 pm

We've just tested the API with a PHP API class and we're still able to communicate and operate on the Mikrotik with v6.43. No changes were required thankfully.
 
upower3
Member
Member
Topic Author
Posts: 381
Joined: Thu May 07, 2015 11:46 am

Re: 6.43 change in login process and API libraries?

Wed Sep 12, 2018 4:46 pm

We've just tested the API with a PHP API class and we're still able to communicate and operate on the Mikrotik with v6.43. No changes were required thankfully.
Great news! Hold my RBs upgrade due to automation setup via such 'old' lib, now will test!
 
highonsnow
newbie
Posts: 34
Joined: Fri Oct 19, 2007 3:30 am

Re: 6.43 change in login process and API libraries?

Wed Sep 12, 2018 4:56 pm

Watch out for the Winbox lockout - people are reporting login issues after the upgrade at viewtopic.php?f=21&t=138995
 
lweidig
just joined
Posts: 15
Joined: Mon May 01, 2006 4:56 pm
Location: Sheboygan, WI
Contact:

Re: 6.43 change in login process and API libraries?

Thu Oct 25, 2018 5:27 pm

This does not apparently seem to be a forced change on how the login process works with the API. We have upgraded an in house device to 6.43.4 so that we could begin testing as we use the API service for a lot of in house functionality. If we still send the /login on its own we are receiving the =ret=... response and it still appears to work just fine. In fact none of our code was changed and we login without issue.

Is this supposed to be the case? Is this method planned to be eliminated in the near future?

Thanks!
 
sff
just joined
Posts: 13
Joined: Fri Aug 13, 2010 5:15 pm

Re: 6.43 change in login process and API libraries?

Wed Jul 03, 2019 9:03 pm

Is there a fix out for this for PERL? Just upgraded a few devices from 6.44.x to 6.45.1 and now the API fails to log in. I have been using the CPAN installable which says it is version 1.0.5 and is up to date.

I had forgotten about the change last year to the API login process, but it now appears to be forced to the new method for 6.45 and forward. Is there any patch I can install to 1.0.5 to get this fixed? Maintaining 300+ Mikrotiks from a database and having a broken API slows me down.

Of course I can fix it myself if someone can explain what the change actually is. The manual says to now send =PASSWORD= on the first call, then send the user/password in plain text in the first command. Do I just send it =NAME=admin=PASSWORD=[password]???
 
sff
just joined
Posts: 13
Joined: Fri Aug 13, 2010 5:15 pm

Re: 6.43 change in login process and API libraries?

Wed Jul 03, 2019 9:49 pm

Well that was easy...figured it out and patched my installed copy of the API code. I'll see if I can get this pushed as a change to the CPAN 1.0.5 version. Won't be today though, I've got testing to do on 6.45.1.

For those of you in the US, have a great holiday!

Code below. Added six lines, wrapping the old login code inside an if for failure of the new method: Indentation is what makes it look like a huge change.

root@blinkBSD:/usr/local/lib/perl5/site_perl/MikroTik # diff API.pm API_1.0.5.pm
151a152
>
153,154d153
< push( @command, '=name=' . $self->get_username() );
< push( @command, '=password=' . $self->get_password() );
155a155,167
> if ( $retval > 1 ) {
> die 'error during establishing login: ' . $results[0]{'message'};
> }
> my $challenge = pack("H*",$results[0]{'ret'});
> my $md5 = Digest::MD5->new();
> $md5->add( chr(0) );
> $md5->add( $self->get_password() );
> $md5->add( $challenge );
>
> @command = ('/login');
> push( @command, '=name=' . $self->get_username() );
> push( @command, '=response=00' . $md5->hexdigest() );
> ( $retval, @results ) = $self->talk( \@command );
158,176c170
< @command = ('/login');
< ( $retval, @results ) = $self->talk( \@command );
< if ( $retval > 1 ) {
< die 'error during establishing login: ' . $results[0]{'message'};
< }
< my $challenge = pack("H*",$results[0]{'ret'});
< my $md5 = Digest::MD5->new();
< $md5->add( chr(0) );
< $md5->add( $self->get_password() );
< $md5->add( $challenge );
<
< @command = ('/login');
< push( @command, '=name=' . $self->get_username() );
< push( @command, '=response=00' . $md5->hexdigest() );
< ( $retval, @results ) = $self->talk( \@command );
< die 'disconnected while logging in' if !defined $retval;
< if ( $retval > 1 ) {
< die $results[0]{'message'};
< }
---
> die $results[0]{'message'};
179c173
< print 'Logged in to '. $self->get_host() .' as '. $self->get_username() ."\n";
---
> print 'Logged in to '. $self->get_host() .' as '. $self->get_username() ."\n";
root@blinkBSD:/usr/local/lib/perl5/site_perl/MikroTik #
 
FezzFest
newbie
Posts: 31
Joined: Wed Jun 03, 2015 12:03 am

Re: 6.43 change in login process and API libraries?

Thu Jul 04, 2019 11:24 pm

This change can't be serious? Instead of challenge/response authentication the username and password are now sent in clear text?
 
highonsnow
newbie
Posts: 34
Joined: Fri Oct 19, 2007 3:30 am

Re: 6.43 change in login process and API libraries?

Thu Jul 04, 2019 11:57 pm

"Progress"
 
SergeS
just joined
Posts: 13
Joined: Fri Mar 25, 2016 6:23 am

Re: 6.43 change in login process and API libraries?

Wed Jul 24, 2019 1:31 am

Mikrotik, are there any explanations?
"Instead of challenge/response authentication the username and password are now sent in clear text?"
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5921
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: 6.43 change in login process and API libraries?

Wed Jul 24, 2019 11:43 am

Where traffic can be easily sniffed by 3rd parties you should establish secure connection anyway.
 
marting
Member Candidate
Member Candidate
Posts: 147
Joined: Thu Aug 21, 2014 2:07 pm

Re: 6.43 change in login process and API libraries?

Thu Jul 25, 2019 6:51 pm

Is there a fix out for this for PERL? Just upgraded a few devices from 6.44.x to 6.45.1 and now the API fails to log in. I have been using the CPAN installable which says it is version 1.0.5 and is up to date.
Sorry, I missed the fact that the old method has been removed with 6.45.
The changes (previously only on GitHub) are now also available with CPAN: https://metacpan.org/pod/MikroTik::API (v1.1.0). It precedencs new method and falls back to the old one.
Please test it carefully before production use, there were many PullRequests included in this release. Also some changed error handling (not dying so fast but use of errorcodes).

Also not very happy with plaintext auth method introduced with 6.43 (why???). So I postponed the release quite long.
 
SergeS
just joined
Posts: 13
Joined: Fri Mar 25, 2016 6:23 am

Re: 6.43 change in login process and API libraries?

Thu Jul 25, 2019 10:59 pm

"Where traffic can be easily sniffed by 3rd parties you should establish secure connection anyway."

Ok, now on not secured connection we have to pass password as open plain text, which is unsecured even more :-(.
Are there any advantages of post-6.43 login method?
 
upower3
Member
Member
Topic Author
Posts: 381
Joined: Thu May 07, 2015 11:46 am

Re: 6.43 change in login process and API libraries?

Fri Jul 26, 2019 12:01 am

So to say, enable access from only trusted net is still best approach.

API is yet better thing in compare to ssh, but from insecure nets ssh can be used. Harder to integrate to scripts, yes.
 
marting
Member Candidate
Member Candidate
Posts: 147
Joined: Thu Aug 21, 2014 2:07 pm

Re: 6.43 change in login process and API libraries?

Fri Jul 26, 2019 12:17 am

At client side one call less is necessary to login. The only (extremely unimportant) thing I can say. I love MT products but the release policy is quite silly. There is also no explanation for those decisions like "killing MD5 saves xx% resources on the router" or something like that. Consequence is that most people will use ssl and set ssl_verify to none and think they are safe.
An absolutely unnecessary change in my opinion.
 
upower3
Member
Member
Topic Author
Posts: 381
Joined: Thu May 07, 2015 11:46 am

Re: 6.43 change in login process and API libraries?

Fri Jul 26, 2019 12:20 am

Hey, this way we will one day say "please add let's encrypt support" :)

The sad side many routers are far from the internet access themselfs anyway.

Silly policy, indeed. No sign it will be better one day.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5921
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: 6.43 change in login process and API libraries?

Fri Jul 26, 2019 11:24 am

The reason is new password storage. To keep md5 we would need to store password in plain text on the router, which is not what we want.
Do you use tenet over unsecure networks? I think not, most likely you will chose ssh instead. With api is the same, consider unsecure api as telnet, and api over ssl as ssh.

Who is online

Users browsing this forum: No registered users and 9 guests