Page 1 of 1

cannot ssh to mikrotik rb750 with dsa key

Posted: Mon Nov 12, 2018 2:47 pm
by blairell
Hello everyone,

I've been trying to setup ssh for my rb750 for a while, but can't get it to work and wondering if I could get some pointers.
i've imported the public dsa key from my redhat system, but when I attempt to login, I get a failure pasted below
RB firmware version is 6.43.4

temp admin for testing on port 22-
ssh -vvv -l admin -i /home/user/.ssh/id_dsa 192.169.0.1

......

[user@workstation .ssh]$ ssh -v admin@192.169.0.1
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.169.0.1 [192.169.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version ROSSSH
debug1: no match: ROSSSH
debug1: Authenticating to 192.169.0.1:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
Received disconnect from 192.169.0.1 port 22:3:
Disconnected from 192.169.0.1 port 22
[user@workstation .ssh]$

Re: cannot ssh to mikrotik rb750 with dsa key

Posted: Mon Nov 12, 2018 2:59 pm
by blairell
I should also add, there are no filter rules, and the only nat rule is one that is set to masquerade for the subnet range on ether2 that goes out ether1

Re: cannot ssh to mikrotik rb750 with dsa key

Posted: Mon Nov 12, 2018 4:29 pm
by msatter
debug1: kex: host key algorithm: ssh-rsa

I would only use RSA and not DSA anymore.

Re: cannot ssh to mikrotik rb750 with dsa key

Posted: Tue Nov 13, 2018 3:29 am
by blairell
Thanks for the reply msatter!
I switched back to rsa now after your post. I did dsa originally because the only documentation on this said we need to use dsa so it must be out of date.

after switching to rsa though and adding it to user admin, I still am disconnected

[user@workstation .ssh]$ ssh -v admin@192.169.0.1
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.169.0.1 [192.169.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version ROSSSH
debug1: no match: ROSSSH
debug1: Authenticating to 192.169.0.1:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
Received disconnect from 192.169.0.1 port 22:3:
Disconnected from 192.169.0.1 port 22
[user@workstation .ssh]$

Re: cannot ssh to mikrotik rb750 with dsa key

Posted: Tue Nov 13, 2018 11:49 am
by eworm
Looks like anything is borked on RouterOS side. You can not even log in with password, no? Try to regenerate the host keys:
/ip ssh regenerate-host-key

Re: cannot ssh to mikrotik rb750 with dsa key

Posted: Tue Nov 13, 2018 3:45 pm
by blairell
That did the trick! Thankyou, your a legend!