Page 1 of 1

remote ssh via script

Posted: Fri Mar 29, 2013 2:13 pm
by drdrdr
Hi,

I have script that should run command on remote mikrotik. I made keys and tested it. It works. But problem is to put it in script.

This script named "disable_ether5" looks like this:
/system ssh 172.19.3.12 "/interface ethernet disable ether5"
If I run it in terminal like this:
/system script run disable_ether5
it works, but if I press "Run Script" button in winbox it does not work.

Main problem is that it also does not work in Netwach.

Re: remote ssh via script

Posted: Sat Mar 30, 2013 12:04 am
by skot
I had this problem a while back using v5.7: http://forum.mikrotik.com/viewtopic.php?f=9&t=62260, never found an answer... but I have not tried it again on more recent versions.

MikroTik says Netwatch won't work with private keys: http://forum.mikrotik.com/viewtopic.php ... 13#p337605

Re: remote ssh via script

Posted: Mon Apr 01, 2013 12:25 am
by drdrdr
Thank you. They should make it possible to give owner of netwach.

Re: remote ssh via script

Posted: Mon Apr 01, 2013 5:56 pm
by jgellis
I have used the following work around in several other scripts, it may work for you as well (even to answer the netwatch issue).

Create the desired script as a scheduler event (in this example it will be named "netwatchsch1".
In your netwatch action, update the scheduled start-time to 1 second in the future using the following:
/system scheduler set [find name=netwatchsch1] set start-time=([/sys clock get time] + 0:0:1)
This will allow a Netwatch action to execute under the user that created the scheduled event and thus, should overcome the certificate issues. Remember that the certificates of the scheduled event owner will be used and the scheduled event owner is the user that created the event in the first place.

Re: remote ssh via script

Posted: Tue Apr 02, 2013 1:03 am
by drdrdr
When I read your message it all sounded logic, and I thought "This is it!", but it does not work.
I did not even used Netwach. I only made Scheduler that is trigering every two seconds, but nothing hapends. Trigering script from terminal still works.
I only have one user on both routers (admin), so owner of keys, scripts and scheduler is same.

PS.
I have deleted keys on both routers, but sending commands from terminal still worked. I was frustrated, then I noticed that if username and password are same on both routers, keys are not needed. I changed password, and used keys for further testing.

I have used v5.24 on RB450 on both routers. I have also tested this on clean mikrotiks in VMware.

Thank you

Re: remote ssh via script

Posted: Tue Apr 02, 2013 4:50 pm
by janisk
everything that looks suspiciously interactive, like ssh login or telnet login will not work if ran from scheduler or script.

Re: remote ssh via script

Posted: Thu May 16, 2013 9:41 pm
by scampbell
I have a similar issue, running RoS 5.24. I have set up the user admin-ssh on both routers, given them FULL rights (for now), and loaded the Public Key on the Host and Private & Public Keys on the client.

The script owner is admin-ssh

If I execute the script from a New Terminal in Winbox (logged into Winbox as admin-ssh on the client router) and do "/system script run scriptname" it works with no interaction.

If I try and run the same script in the same Winbox session (logged in as admin-ssh) by selecting it from the script list and select Run Script it starts and logs the first info message but gets no further. Anything from the SSH command onwards is not executed.

No sign of a connection attempt on the host router in the ssh debug log either.

Here is the script:-

/log info "Running SSH test"
/system ssh x.x.x.x user=admin-ssh "/log error \"Here I am\"";
/log error "SSH Communicated to x.x.x.x";

Re: remote ssh via script

Posted: Fri May 17, 2013 4:35 pm
by janisk
it is not possible to execute interactive commands from other scripts via script.

If you open terminal it is OK
if that is done via script = nothing happens.

Re: remote ssh via script

Posted: Fri Nov 08, 2013 2:02 pm
by P0intLess
Still no progress on the problem? 6.6 is already out today... Oh when we routeros users will be happy to have remote ssh commands called from scripts working?... :-x

Re: remote ssh via script

Posted: Mon Dec 09, 2013 6:59 pm
by Ehman
This is lame... I want to make a script that change somethings on 20 AP's via ssh, but hmmmm nooo ...I cant! ...because Mikrotik doesn't want me to be lazy, and Mikrotik wants me to login into each router and change stuff. I don't get the point of not allowing it, I like my stuff to be automated, I like my scripts to run then I'm drinking or sleeping or out, if a problem gets detected I want a script to run, can't here... Mikrotik :?

Re: remote ssh via script

Posted: Mon Dec 09, 2013 7:04 pm
by Ehman
it is not possible to execute interactive commands from other scripts via script.

If you open terminal it is OK
if that is done via script = nothing happens.
/system ssh 1.2.3.4 user=admin "/log print "hello";
It asked me for a password, I want to put my password into my scripts, and btw, it takes a password to log into my routers, but I want my routers to give each other commands when triggered

Re: remote ssh via script

Posted: Sun Dec 15, 2013 11:08 am
by pwuk
Well you get around the requirement for interaction and passwords by using ssh keys, however that doesn't help when you run the script from the scheduler

Here's my script:
add name=remotebackup policy=read,write,test source="/log info \"start backup\"; /log info \"Get R1\"; /system ssh 1.2.3.4 user=backup \"export compact\" output-to-file=autobackup_R1 ; /log info \"end backup\""

When you run /system script run 0
(R0) 08:59:46 script,info start backup
(R0) 08:59:46 script,info Get R1
(R1) 08:59:46 ssh,info publickey accepted for user: backup
(R1) 08:59:46 system,info,account user backup logged in from 1.2.3.4 via ssh
(R1) 08:59:47 system,info,account user backup logged out from 1.2.3.4 via ssh
(R0) 08:59:47 script,info end backup

However when the scheduler runs
09:01:21 script,info start backup
09:01:21 script,info Get R1

And that's it, when the scheduler runs the script it doesn't even attempt to log in -- no traffic on the wire.

Re: remote ssh via script

Posted: Sun Jan 05, 2014 7:08 pm
by drdotti
Hi,

i have the same Problem.

http://forum.mikrotik.com/viewtopic.php ... 01#p402501

mfg

Klaus

Re: remote ssh via script

Posted: Tue Jan 07, 2014 7:57 pm
by maliha
I think you need to escape the special characters in the string

Sent from my SCH-I545 using Tapatalk

Re: remote ssh via script

Posted: Sat Sep 20, 2014 4:54 am
by jumanor
hello
I have the same problem
It's frustrating !!!!!! :(

Re: remote ssh via script

Posted: Wed Sep 09, 2015 12:14 am
by xollis
Did this ever get resolved? I am having a similar issue and was hoping to find an answer.

Re: remote ssh via script

Posted: Tue Sep 29, 2015 4:24 pm
by voz
Two years and a half! the issue still there and no solution from mikrotik.
that's really cool!
here is my scenario. I have router and the NAS. script saves config then logs in to NAS and run auto-fetching ftp command to get backup config file
/log info message="Backup run";
/system backup save name=backup/auto.backup; 
/log info message="pre SSH"; 
/system ssh user=<user> address=<host> command="ftp ftp://<backup_user>:<pass>@router/%2Fbackup%2Fauto.backup -o /<path to backup>/auto-`date +%F`.backup"
/log info message="post SSH"; 
script works from terminal, but doesn't by click the RunScript button in webfig nither by Scheduler event - it fails after pre SSH message

the only way I see - run my script by ssh login from NAS via crond :lol:

Re: remote ssh via script

Posted: Thu Apr 07, 2016 9:48 pm
by satish143
Guys! any solution? I need this option bady to sync two VRRP MT. This is stupid issue. why SSH not allowed to run over script? :? :? :?

Re: remote ssh via script

Posted: Thu Apr 07, 2016 9:48 pm
by satish143
Guys! any solution? I need this option bady to sync two VRRP MT. This is stupid issue. why SSH not allowed to run over script? :?

Re: remote ssh via script

Posted: Fri Apr 08, 2016 3:33 pm
by voz
Guys! any solution? I need this option bady to sync two VRRP MT. This is stupid issue. why SSH not allowed to run over script? :?
You not feel the Power of ssh-script-running, don't You? It's too dangerous :lol:

Ok. Why 3-d host cron task is not the solution for You? It really works for me very well.

Re: remote ssh via script

Posted: Wed Jun 15, 2016 11:53 am
by peter1024
Hello ,

I have the same problem . I wrote a script that logs on to  AirOS then it make reboot . If it does from terminal everything works . Unfortunately, the schedule of tasks script does not work. Do not execute the line :
/System ssh address=10.0.0.200 user=admin command=reboot
If you paste this command into the terminal , everything works correctly

Is there already a solution to this problem?

Re: remote ssh via script

Posted: Sat Nov 05, 2016 5:00 pm
by Wyz4k
Hi there,

I can confirm that this is still not possible in 6.37.1

Re: remote ssh via script

Posted: Mon Sep 25, 2017 2:32 pm
by Permanentik
Up 2017

Re: remote ssh via script

Posted: Sat Nov 11, 2017 2:23 pm
by johanfirdi
I get the same problem above.
run remote ssh script via terminal works, BUT
not WORK in script mode.
my case is creating dynamic gre tunnel after pppoe interfaces up,
dynamic because public ip address assigned dynamically. I need to ssh remote machine to do create tunnel.
i create in linux, work normally by editing /etc/ppp/ip-up to custom script.
But get problem when porting to mikrotik.
work in terminal.
not work in script.

Re: remote ssh via script

Posted: Thu Dec 14, 2017 11:47 pm
by OKNET
Almost 2018

After years and years same issue (no single line ssh client connecting automatically to remote ssh server by script)

At least , someone from mikrotik staff should clearly say : "it is not possible and it will be not possible because we don't want it to be possible"

People still remain hangings with hope......

Any info please ?

Re: remote ssh via script

Posted: Fri Dec 29, 2017 9:32 pm
by RavenWing71
This may not directly relate, but I was having a similar problem getting a script to use fetch to upload a file. It turned out that the script had to have the "test" policy checked?!? You might give it a try.

Re: remote ssh via script

Posted: Sat Dec 30, 2017 5:53 pm
by Wyz4k
Nope, it's not a privilege thing. It's functionality not allowed by Mikrotik

Re: remote ssh via script

Posted: Wed Jan 10, 2018 3:26 pm
by hughrobbie
If you have a windows machine, you can use plink.exe and create a SSH batch file to run your script on your Mikrotik and schedule the batch file with windows scheduler.
If anybody needs help with this, let me know. :)

Re: remote ssh via script

Posted: Wed Jan 10, 2018 3:44 pm
by che
I have uploaded to Github my old Python script that does what you need: connects to a number of different Mikrotik routers and then executes some commands. All you need to do is edit username and password in .py file, list of IP addresses and commands.

The only requirement is that you have Python installed with paramiko module on either Windows, Linux or MacOS machine.

mikrotik-distributed-ssh

Re: remote ssh via script

Posted: Thu Jan 11, 2018 3:36 pm
by SX1
Same trouble using Dude Notifications. I wanted to create some type of alarm using ssh and beep when any device down. But it's not work because Mikrotik team don't want to activate remote ssh via script.
What's wrong with you, Mikrotik? It's a great fail!

Re: remote ssh via script

Posted: Sat Feb 03, 2018 5:23 pm
by markovip
I'm also waiting for this GREAT capability!

Re: remote ssh via script

Posted: Sat Feb 03, 2018 7:34 pm
by dadoremix
Maybe for 10 years mikrotik make a app for remote control 100+ devices

Re: remote ssh via script

Posted: Wed Mar 07, 2018 3:25 am
by ingus16
Need this feature BADLY..
Please do something

Re: remote ssh via script

Posted: Mon Mar 19, 2018 3:37 pm
by zivtal
Made this long time ago, maybe it's will help you...
:local router2address "192.168.88.1";
:local router2interfaces "sfpp1,sfp1,vlan9";
:local router2username "user1";

:local SetInterface do={
	:local interfaces [:toarray $1];
	:local mode [:tostr $2];
	:local host $3;
	:local user [:tostr $4];
	:local cmd;
	#Set diabled bollean (true/false)
	:local disabled; :if ($mode="disable") do={:set $disabled true;} else {:set $disabled false;}
	#If host not set, interfaces are local
	if ([:typeof $host]="nothing") do={
		#Host wasn't set, then set local interfaces
		foreach interface in=[:toarray $interfaces] do={
			if ([:len [/interface find name=$interface]]>0) do={
				if ([/interface get value=disabled $interface]!=$disabled) do={
					/interface set disabled=$disabled $interface
					:log info ([/system clock get time]." '$interface' has been ".$mode."d.\r\n");										
				}
			} else {
				:log info ([/system clock get time]." '$interface' not exists.\r\n");
			}
		}
	} else {
		#Host has been set, then create ssh's command for sending
		foreach interface in=[:toarray $interfaces] do={
			:set $cmd ($cmd."if ([:len [/interface find name=$interface]]>0) do={	if ([/interface get value=disabled $interface]!=[:tobool $disabled]) do={		/interface set disabled=[:tobool $disabled] $interface;		:log info \"'$interface' $mode command has been received from '$[/system identity get name]' (via ssh).\"		} else {			:log warning \"$mode command from '$[/system identity get name]' (via ssh) was denied, '$interface' already $mode.\" 		}} else { :log error \"$mode command from '$[/system identity get name]' (via ssh) was failed, '$interface' not exists.\" }\r\n");
			:log info ([/system clock get time]." '$interface' $mode command has been sent to '$host' via ssh ($user).\r\n");
		}
		#Check if host responding
		if ([/ping $host count=1]>0) do={
			#Host response, connect to host and send command
			do {
				/system ssh $host user=$user command=$cmd
			} on-error={
				#Error caold not connect to host
				:log info ([/system clock get time]." $mode command was not sent, could not connect to 'host'.\r\n");
			}
		} else {
			#Host not respoding
			:log info ([/system clock get time]." $mode command was not sent, 'host' not responding.\r\n");
		}		
	}
}
$SetInterface $router2interfaces disable $router2address $router2username

Re: remote ssh via script

Posted: Wed Mar 21, 2018 3:06 pm
by gerakon
I had a similar problem years ago that I wanted to reboot some crappy engenius APs every night on a schedule so they wouldn't lock up once a week. I suspect Mikrotik doesn't allow this because it could turn their routers into a weapon for hackers. Any way, I looked into using API at the time, but didn't understand it well enough to implement, but it looked like it might work.

Re: remote ssh via script

Posted: Wed Apr 04, 2018 1:36 pm
by gogasan
Now %DATE% already. Still wont working.
Trying to setup configuration replication using scheduler. Wont it working in manual mode.

Re: remote ssh via script

Posted: Mon Aug 06, 2018 6:34 pm
by electravis
Any update to allowing ssh to run in a script? Today I needed this functionality for the first time and after a few hrs of failure i googled and found everyone else with the same issue.

Re: remote ssh via script

Posted: Fri Sep 07, 2018 12:27 pm
by TT12
I have uploaded to Github my old Python script that does what you need: connects to a number of different Mikrotik routers and then executes some commands. All you need to do is edit username and password in .py file, list of IP addresses and commands.

The only requirement is that you have Python installed with paramiko module on either Windows, Linux or MacOS machine.

mikrotik-distributed-ssh
Hello,
is it possible to change your script to join with RSA key connection with a password + specific username?
Thank you

Re: remote ssh via script

Posted: Tue Sep 11, 2018 3:55 pm
by Posse7x
hello,

no solution but a work around

not running the ssh command via a script -> importing them via an rsc file

/system scheduler add name=run_sshscript interval=24:00:00 start-time=00:00:00 start-date=jan/01/1970 on-event="/import file=sshscript.rsc"

the commands (system ssh x.x.x.x command="") is stored in the rsc files

regards

Re: remote ssh via script

Posted: Tue Sep 11, 2018 4:15 pm
by che
Hello,
is it possible to change your script to join with RSA key connection with a password + specific username?
Thank you

Could you clarify the question a bit? As I understood, you want the script to know which hosts use which usernames, passwords and keys, with same host having multitude of those?

Re: remote ssh via script

Posted: Tue Sep 11, 2018 4:44 pm
by TT12
Hello,
is it possible to change your script to join with RSA key connection with a password + specific username?
Thank you

Could you clarify the question a bit? As I understood, you want the script to know which hosts use which usernames, passwords and keys, with same host having multitude of those?
Hi,
sorry for my english:
I already changed your script to allow join only with RSA private key (on mikrotik is imported public):

add: k = paramiko.RSAKey.from_private_key_file('key.ppk')
ssh.connect(host,username=mt_username,pkey=k,timeout=timeout)

this way allows you to connect to ssh only with the private ssh key - without login + password.
The problem occurs when I generate ssh (RSA) keys in PuttyGEN - the paramiko module reports a ssh key format error.
If I generate ssh keys over paramics, everything is fine.
Is it possible to add the ability to generate the most secure pairs of private and public keys compatible with mikrotik?
Probably RSA 4096 - with password (aes-128-ctr)
Signing in with ssh keys is a much safer method.
Thank you for the info.

Re: remote ssh via script

Posted: Tue Sep 11, 2018 5:34 pm
by che
While I agree that using key pairs is the best practice from security standpoint, my script was not aiming at that particular scenario. My network had few hundreds of MikroTik boxes that needed to be changed quickly and zero key pairs setup beforehand. I was sitting on Windows desktop machine and came up with mentioned script.

Regarding ssh server on MikroTik, you can read up on what crypto they use with "strong crypto" option off/on: https://wiki.mikrotik.com/wiki/Manual:IP/SSH

I'm not sure about other key and certificate limitations on RouterOS.

Re: remote ssh via script

Posted: Wed Sep 12, 2018 8:21 am
by Wyz4k
hello,

no solution but a work around

not running the ssh command via a script -> importing them via an rsc file

/system scheduler add name=run_sshscript interval=24:00:00 start-time=00:00:00 start-date=jan/01/1970 on-event="/import file=sshscript.rsc"

the commands (system ssh x.x.x.x command="") is stored in the rsc files

regards
Useful, but only if you can login without a password as the /system ssh prompt does not allow you to enter in the password in the connect string.

Re: remote ssh via script

Posted: Wed Sep 12, 2018 11:19 am
by Posse7x
it works with ssh key
you just need to create the scheduler and script with the account linked to the private key.

Re: remote ssh via script

Posted: Thu Sep 13, 2018 3:20 pm
by Wyz4k
it works with ssh key
you just need to create the scheduler and script with the account linked to the private key.
I tried this, but could not get it going. If I manually call the script from the terminal it works fine and connects to ssh, but if I run it with a schedule it doesn't execute and gives a script error, or nothing.

Re: remote ssh via script

Posted: Tue Sep 18, 2018 10:25 am
by Posse7x
as i said

you need to create a .rsc file (eg: /system ssh x.x.x.x command="/interface disable ether1")

safe it as script.rsc

then create the scheduler:

/import script.rsc verbose=yes

you'll see the script starting and where it gets interrupted

Re: remote ssh via script

Posted: Tue Sep 18, 2018 10:46 am
by Wyz4k
as i said

you need to create a .rsc file (eg: /system ssh x.x.x.x command="/interface disable ether1")

safe it as script.rsc

then create the scheduler:

/import script.rsc verbose=yes

you'll see the script starting and where it gets interrupted
I'd love to be proven wrong, but that doesn't work. I've just tried it again in 6.42.7. What version are you running it on?
If I run "/import script.rsc verbose=yes" from terminal it logs in fine on the other side.

script.rsc contains only "/system ssh address=IP user=USER command=quit"

If I create a scheduler and add "/import script.rsc verbose=yes" to it, it just doesn't do anything.

If I add a print before the /system ssh command and one after, it only prints the before command which indicates that it breaks on the /import command.

Re: remote ssh via script

Posted: Mon Sep 24, 2018 8:58 am
by amb3r
hello,

no solution but a work around

not running the ssh command via a script -> importing them via an rsc file

/system scheduler add name=run_sshscript interval=24:00:00 start-time=00:00:00 start-date=jan/01/1970 on-event="/import file=sshscript.rsc"

the commands (system ssh x.x.x.x command="") is stored in the rsc files

regards
im really interested with the solution you made. do i need to input username/passsword on the ssh command in .rsc? do you have a sample script sir?

Re: remote ssh via script

Posted: Wed Oct 03, 2018 11:00 pm
by TT12
Hi,
i found better solution for multiple config mikrotiks via ssh:
Software: MobaXterm
create and save different mikrotik sessions, then run from menu MultiExec
now you can type commands multiple in all terminals - run script working :)

Re: remote ssh via script

Posted: Thu Oct 04, 2018 2:30 am
by Wyz4k
hello,

no solution but a work around

not running the ssh command via a script -> importing them via an rsc file

/system scheduler add name=run_sshscript interval=24:00:00 start-time=00:00:00 start-date=jan/01/1970 on-event="/import file=sshscript.rsc"

the commands (system ssh x.x.x.x command="") is stored in the rsc files

regards
im really interested with the solution you made. do i need to input username/passsword on the ssh command in .rsc? do you have a sample script sir?
His solution doesn't work, or at least doesn't work any more. I've asked him for more details and he hasn't been forthcoming.
Hi,
i found better solution for multiple config mikrotiks via ssh:
Software: MobaXterm
create and save different mikrotik sessions, then run from menu MultiExec
now you can type commands multiple in all terminals - run script working :)
This post is about connecting to a remote router via a script. As you can't run MobaXterm on the router, that is not an applicable solution to the problem.

Re: remote ssh via script

Posted: Wed Jul 24, 2019 6:34 pm
by floryluc
hi everybody, for very long time i whose waiting for Mikrotik solutions for the remote ssh connection, finally the solutions is on way

https://wiki.mikrotik.com/wiki/Manual:S ... ertificate

SSH-exec
Sub-menu: /system ssh-exec
Command ssh-exec is a non-interactive ssh command, thus allowing to execute commands remotely on a device via scripts and scheduler.

on v6.45.1 is implemented

As I have seen that several of you are in the same problem, I decided to share it with the whole community

a greeting

Re: remote ssh via script

Posted: Wed Jul 24, 2019 10:51 pm
by sebastia
That's just part of the solution. ssh-exec requires use of PKI, while the available documentation relates to real users only

Re: remote ssh via script

Posted: Thu Jul 25, 2019 3:17 am
by Wyz4k
As I have seen that several of you are in the same problem, I decided to share it with the whole community
Thank you floryluc! Very nice of you to post this here. I will definitely give it a bash.