Community discussions

MikroTik App
 
jojoHa
just joined
Topic Author
Posts: 3
Joined: Sun Apr 08, 2018 8:22 pm

Importing private SSH keys fails

Sat Aug 10, 2019 4:20 pm

Hi,

I want to connect to a linux (debian) server to run a command there. The connection has to be initiated in a script on the Mikrotik (RouterOS v6.45.1) router. Thus, I need ssh-exec and have to use keys to ssh into the server. As far as I understood, I need to generate private and public keys on my destination host and import them (or only the private one?) to the client (Mikrotik) where I want to initiate the connection from. However, I can't import the keys in the first place. I have enabled strong-crypto using
/ip ssh set strong-crypto=yes
And for the keys:
user@server:~/.ssh$ ssh-keygen -t rsa -f server
For the passphrase I just hit enter. Then, I appended the key to the locally authorized:
user@server:~/.ssh$ cat server.pub >> authorized_keys
and copied the files to the router:
user@server:~/.ssh$ scp server* admin@router:/flash/
Then, I sshed into the router and tried to import the keys:
user@server:~/.ssh$ ssh admin@router
[admin@router] > /user ssh-keys private import user="admin" public-key-file=flash/server.pub private-key-file=flash/server passphrase=""
unable to load key file (incorrect passphrase?)!
Using
/flash/
instead of
flash/
results in
input does not match any value of private-key-file
.

The server-file has the format
-----BEGIN OPENSSH PRIVATE KEY-----
key....
-----END OPENSSH PRIVATE KEY-----
and the server.pub looks like
ssh-rsa AAA......hd6 user@server
.

What am I doing wrong? I also tried to leave out the passphrase and just hit enter when asked on import. Also generating keys with a passphrase and entering it does not work. I also tried to generate the keys with puttygen, this gives me a (wrong format) error. I also modified the keys according to viewtopic.php?t=48693. But with the same results.

Can someone tell me the steps to properly import the keys? Am I on the right path, anyway? Because according to http://www.linuxproblem.org/art_9.html, it seems like I'm interchanging the roles of router (A) and server (B). However, following https://wiki.mikrotik.com/wiki/Use_SSH_ ... o_RouterOS is my approach above, isn't? basically, it's like in viewtopic.php?t=128887#p633303 but from RouterOS to host, not RouterOS to RouterOS.

Thanks a lot
Johannes


PS: When I add the server.pub in System -> Users-> SSH keys, I can login from the server to the router without a password by
user@server:~/.ssh$ ssh -i server admin@router
. But I need it the other way round.
Last edited by jojoHa on Fri Aug 16, 2019 11:26 pm, edited 2 times in total.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Importing SSH keys fails  [SOLVED]

Mon Aug 12, 2019 12:55 am

Try to generate your key in PEM format:
ssh-keygen -t rsa -m PEM ..
 
dougunder
newbie
Posts: 43
Joined: Tue May 01, 2018 10:53 pm

Re: Importing SSH keys fails

Tue Aug 13, 2019 9:58 pm

We do it like this:

:global SUPPORTPUB "ssh-rsa RSAkeygoeshere support@mycompany.net";
:global SECCFG do={
:global SUPPORTPUB;
/file {print file=supportpub.txt; :delay 2; set supportpub.txt contents=$SUPPORTPUB};
/user {
remove [find name=YOURNAME];
add name=YOURNAME password='YOURPASSWORD" group=full;
ssh-keys import public-key-file=supportpub.txt user=YOURNAME
};
/file remove [find name=supportpub.txt];
/ip {
ssh set strong-crypto=yes;
service {
set ssh port=YOURPORT;
set [find name!="ssh"] disabled=yes
}
}
};
$SECCFG;
/system script environment remove [find name~""]
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Importing SSH keys fails

Wed Aug 14, 2019 10:50 pm

We do it like this:
That does not help. This topic is about private ssh keys.
 
davewilliamson
just joined
Posts: 21
Joined: Thu Nov 29, 2007 4:58 pm
Location: Murcia, Spain

Re: Importing SSH keys fails

Fri Aug 16, 2019 3:10 pm

I'm having exactly the same problem importing private keys for SSH

ssh-keygen -t rsa -b 2048 -f mikrotik_rsa -v -C "Mikrotik Key"
Generating public/private rsa key pair.
mikrotik_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in mikrotik_rsa.
Your public key has been saved in mikrotik_rsa.pub.
The key fingerprint is:
SHA256:4WXp/Zljv2unvg9AvZRGywNkKgB4Pq0X1dkkrMlbZEo Mikrotik Key
The key's randomart image is:
+---[RSA 2048]----+
|   ....  o.== .  |
|  . .  .E *=.= o |
|   o . +o*= . O  |
|    o o.=*.o o o |
|     o .So. o .  |
|    . . .    o o |
|     .        B  |
|             . =.|
|             .=**|
+----[SHA256]-----+

Move the public & private key to the router....

 import user=aremoteuser passphrase="" public-key-file=mikrotik
_rsa.pub private-key-file=mikrotik_rsa
unable to load key file (incorrect passphrase?) !

Trying without the passphrase="" or without the quotes (i.e. passphrase=) gives the same response
Also the same if I add a passphrase to the cert.

Basically, there is no way to upload private keys :(

Using routerOS 6.34.3

Please help!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Importing SSH keys fails

Fri Aug 16, 2019 4:32 pm

Maybe try something a little less outdated? This is with 6.45.3:
[sob@CHR2] > /user ssh-keys private import user=sob private-key-file=mikrotik_rsa public-key-file=mikrotik_rsa.pub
passphrase:
[sob@CHR2] > /user ssh-keys private print
Flags: R - RSA, D - DSA
 #   USER                       BITS KEY-OWNER
 0 R sob                        2048 Mikrotik Key
 
jojoHa
just joined
Topic Author
Posts: 3
Joined: Sun Apr 08, 2018 8:22 pm

Re: Importing SSH keys fails

Fri Aug 16, 2019 11:25 pm

Thanks a lot eworm, generating the keys by
user@server:~/.ssh$ ssh-keygen -t rsa -m PEM -f server
did the trick!
 
davewilliamson
just joined
Posts: 21
Joined: Thu Nov 29, 2007 4:58 pm
Location: Murcia, Spain

Re: Importing private SSH keys fails

Mon Aug 19, 2019 7:03 pm

Thanks jojoHa / eworm, that got the keys uploaded OK

I'm still having an issue though, and cannot get router to router communication...

Router A: ROS v6.45.2
/user ssh-keys print
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                                           
 0 R routercomms                4096 Mikrotik Key - 4096 RSA
 
 /user ssh-keys private print
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                                           
 0 R routercomms                4096 Mikrotik Key - 4096 RSA
 
 /ip ssh print
  forwarding-enabled: no
  always-allow-password-login: no
  strong-crypto: no
  allow-none-crypto: no
  host-key-size: 4096
  
/system ssh 172.18.0.1 user=routercomms                  
can't agree on KEX algorithms

Welcome back!

Router B: ROS v6.45.3
 /user ssh-keys print                                                                
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                     
 0 R routercomms                4096 Mikrotik Key - 4096 RS
 
 /user ssh-keys private print
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                                                     
 0 R routercomms                4096 Mikrotik Key - 4096 RSA  
 
 /ip ssh print               
  forwarding-enabled: no
  always-allow-password-login: no
  strong-crypto: no
  allow-none-crypto: no
  host-key-size: 4096

/system ssh 172.17.0.1 user=routercomms 
password:

I have tried using the the same and different pub/priv pair on both routers, I have tried 2048 & 4096 key lengths, I can SSH in with no issue using these keys from a unix SSH command, I have tried dropping back to DSA rather than RSA.

It would appear that when trying to connect the router isn't using the private key to communicate (one way), then has the KEX issue the other way.

Any thoughts?
 
davewilliamson
just joined
Posts: 21
Joined: Thu Nov 29, 2007 4:58 pm
Location: Murcia, Spain

Re: Importing private SSH keys fails

Tue Aug 20, 2019 2:49 pm

Hmmm,

So I think I've found the issue.... basically, the script ignores the user param when executing...

For the script.....
[routercomms@router] /system script> print from=routercommstest
Flags: I - invalid
 0   name="routercommstest" owner="auser" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon dont-require-permissions=no last-started=aug/20/2019 13:38:45 run-count=62
     source=
       :local Status ([/system ssh-exec user=routercomms address=172.18.0.1 command=":put ([/interface ethernet monitor [find where name=ether2] once as-value]->\"status\")" as-value]->"output")
       :log info $Status
Get's these results.....

[auser@router] > /system script run routercommstest
failure: authentication failure
vs
[routercomms@router] > /system script run routercommstest
(Works as expected)
So to make scripts work on target machines, I need to be logged in as the 'routercomms' user to execute the script successfully, or set it up as a scheduled script, on the source router.

This is a PITA, especially when you want to protect the 'routercomms' account with a difficult password, and not share the private key.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Importing private SSH keys fails

Thu Aug 22, 2019 12:15 am

Note that keys are added for a specific account...
 
davewilliamson
just joined
Posts: 21
Joined: Thu Nov 29, 2007 4:58 pm
Location: Murcia, Spain

Re: Importing private SSH keys fails

Thu Aug 22, 2019 10:45 am

Yeah, I get that - but why have the option to specify a user in the SSH command, if it'll only use the keys from the executing user - it appears a pointless feature in that case.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Importing private SSH keys fails

Mon Aug 26, 2019 4:49 pm

Yeah, I get that - but why have the option to specify a user in the SSH command, if it'll only use the keys from the executing user - it appears a pointless feature in that case.
It's the user connecting to on the remote system.
 
User avatar
MrBonding
just joined
Posts: 10
Joined: Mon Jul 05, 2021 1:32 pm

Re: Importing SSH keys fails

Wed Oct 06, 2021 4:58 pm

Try to generate your key in PEM format:
ssh-keygen -t rsa -m PEM ..
Thanks, it did work for me too!

Only question is why is that in the Mikrotik official wiki https://wiki.mikrotik.com/wiki/Use_SSH_ ... key_login) does it say only "ssh-keygen -t rsa" and does not talk about "-m PEM". Maybe Mikrotik can add that information to the wiki?

Thanks!
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Importing private SSH keys fails

Wed Oct 06, 2021 6:33 pm

... because this used to work as documented, but at some point the default format was changed by openssh.
 
User avatar
floaty
Member
Member
Posts: 321
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: Importing private SSH keys fails

Tue Oct 18, 2022 10:04 pm

thank you very much ...
bookmarked this post :?
... quite the hassle

Who is online

Users browsing this forum: GoogleOther [Bot] and 21 guests