Community discussions

 
blairell
just joined
Topic Author
Posts: 7
Joined: Wed Oct 17, 2018 5:38 am

cannot ssh to mikrotik rb750 with dsa key

Mon Nov 12, 2018 2:47 pm

Hello everyone,

I've been trying to setup ssh for my rb750 for a while, but can't get it to work and wondering if I could get some pointers.
i've imported the public dsa key from my redhat system, but when I attempt to login, I get a failure pasted below
RB firmware version is 6.43.4

temp admin for testing on port 22-
ssh -vvv -l admin -i /home/user/.ssh/id_dsa 192.169.0.1

......

[user@workstation .ssh]$ ssh -v admin@192.169.0.1
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.169.0.1 [192.169.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version ROSSSH
debug1: no match: ROSSSH
debug1: Authenticating to 192.169.0.1:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
Received disconnect from 192.169.0.1 port 22:3:
Disconnected from 192.169.0.1 port 22
[user@workstation .ssh]$
Last edited by blairell on Tue Nov 13, 2018 3:32 am, edited 1 time in total.
 
blairell
just joined
Topic Author
Posts: 7
Joined: Wed Oct 17, 2018 5:38 am

Re: cannot ssh to mikrotik rb750 with dsa key

Mon Nov 12, 2018 2:59 pm

I should also add, there are no filter rules, and the only nat rule is one that is set to masquerade for the subnet range on ether2 that goes out ether1
 
msatter
Forum Guru
Forum Guru
Posts: 1241
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: cannot ssh to mikrotik rb750 with dsa key

Mon Nov 12, 2018 4:29 pm

debug1: kex: host key algorithm: ssh-rsa

I would only use RSA and not DSA anymore.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
blairell
just joined
Topic Author
Posts: 7
Joined: Wed Oct 17, 2018 5:38 am

Re: cannot ssh to mikrotik rb750 with dsa key

Tue Nov 13, 2018 3:29 am

Thanks for the reply msatter!
I switched back to rsa now after your post. I did dsa originally because the only documentation on this said we need to use dsa so it must be out of date.

after switching to rsa though and adding it to user admin, I still am disconnected

[user@workstation .ssh]$ ssh -v admin@192.169.0.1
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.169.0.1 [192.169.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version ROSSSH
debug1: no match: ROSSSH
debug1: Authenticating to 192.169.0.1:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
Received disconnect from 192.169.0.1 port 22:3:
Disconnected from 192.169.0.1 port 22
[user@workstation .ssh]$
 
User avatar
eworm
Member
Member
Posts: 393
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: cannot ssh to mikrotik rb750 with dsa key

Tue Nov 13, 2018 11:49 am

Looks like anything is borked on RouterOS side. You can not even log in with password, no? Try to regenerate the host keys:
/ip ssh regenerate-host-key
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
blairell
just joined
Topic Author
Posts: 7
Joined: Wed Oct 17, 2018 5:38 am

Re: cannot ssh to mikrotik rb750 with dsa key

Tue Nov 13, 2018 3:45 pm

That did the trick! Thankyou, your a legend!

Who is online

Users browsing this forum: No registered users and 11 guests