Our NOC uses one WAN ip address to connect to these clients.
I have a RADIUS setup for the personal accounts of the NOC staff, but I am also running RANCID (configuration backup / diff service) that connects to all mikrotiks over ssh using a local account that exists on every mikrotik and is connected to a ssh certificate for passwordless login.
All this communication goes over 1 external IP address, so the source of all this traffic from the mikrotik's perspective is the same.
Radius authentication is configured like this: (taken from export command)
/radius add address=256.256.1.1 comment="Radius login" secret=TheRadiusSecret service=login
/user aaa set default-group=full use-radius=yes
256.256.1.1 is my fictious public IP address, the real one is of course valid.
Then I have configured a local user for rancid like this:
I have imported my id_dsa.pub from my linux box that runs rancid and connected it to the rancid user:
[n1els@clientXYZ] /user> export verbose # jun/06/2016 04:01:58 by RouterOS 6.33.5 # software id = ABCDEF # /user group set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,!ftp,!write,!policy skin=default set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,!ftp,!policy skin=default set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api skin=default /user add address="" comment="system default user" disabled=no group=full name=admin add address="" comment="config backup user" disabled=no group=full name=rancid /user aaa set accounting=yes default-group=full exclude-groups="" interim-update=0s use-radius=yes
So rancid works fine, and I can also log in to winbox using my radius password which is all nice. But now I have discovered that I can log in using ssh without password with any valid radius account.
[n1els@clientXYZ] /user> ssh-keys print detail Flags: R - RSA, D - DSA 0 D user=rancid bits=1024 key-owner="rancid@linuxbox" [n1els@clientXYZ] /user>
so if I try to run
I am asked for a password, but if I use an existing radius account name like my own I am accepted without ever having to type my password.
Maybe I'm doing something wrong, but this should not be the case. The only user that should be allowed passwordless entry should be the local user, and only upon successful ssh/DSA certificate match, and not for any of the radius accounts. I don't even have to be on the same linux box to do this now.