Hi everybody,
i have a Problem with SSH to a Mikrotik. Whenever I want to connect via ssh, it says access denied. The password is corrcect, because i can connect via winbox.
SSH Service is enabled:
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 XI telnet 23
1 ftp 21
2 XI www 80
3 ssh 22
4 XI www-ssl 443 none
5 api 8728
6 winbox 8291
7 api-ssl 8729 *1
I have already removed the user and created a new one. First, Mikrotik run RouterOS 6.46.6. I upgraded to 6.47.4
I manage many mikrotiks, but this is the only one i can`t enter via ssh..
Thank you and best regards
Re: Problem with SSH Login
What ssh client do you use? Can you give the exact error message?
A blind guess if everything else fails: regenerate your host keys:
A blind guess if everything else fails: regenerate your host keys:
Code: Select all
/ip ssh regenerate-host-key
Re: Problem with SSH Login
I have noticed a number of posts regarding SSH keys failing etc etc.. so here goes my adventure... After a routine patch of my Linux machine, I was sent into a frenzy banging my head, many "ssh -vvvv" and copious searches until I eventually figured out why my SSH keys were no longer working. This was a year or three ago but ran into it again when I deployed a new Mikrotik at home in the last week
If you are using RSA that you have had for some time and do not want to regenerate your keys just yet, you need to explicitly re-enable the depreciated SHA1 RSA cipher "ssh_rsa" for RouterOS connections either in the global "/etc/ssh/ssh_config" (not sshd_config) or a user specific "~/.ssh/config" files. Add the following line to your connection stanza:
Example extract from my "~/.ssh/config":
This a temporary work around at best and should not be considered a long term solution. I realised the cause of my original issue above is that I was using old RSA keys that were generated a few years ago using old ciphers that have been depreciated and causing this error. Generating new RSA keys appears to have fixed this issue for me and would be a more long term solution.
NOTE: OpenSSH etc have also sunset RSA & DSA keys and it is recommended to move all your keys over to ECDSA keys but none of my routers (RouterOS v6.49.10) appear to support ECDSA and when trying to load ECDSA it gives the following error:
Disabling the password after key restriction
If you want to disable the default of rejecting password SSH login's after loading SSH Keys, set the following to allow both Key & Interactive (password) login:
I prefer setting this just in case my keys go wonky and I need to access my routers via SSH to fix.
I hope this little tid bit saves a few bruised foreheads!
If you are using RSA that you have had for some time and do not want to regenerate your keys just yet, you need to explicitly re-enable the depreciated SHA1 RSA cipher "ssh_rsa" for RouterOS connections either in the global "/etc/ssh/ssh_config" (not sshd_config) or a user specific "~/.ssh/config" files. Add the following line to your connection stanza:
Code: Select all
PubkeyAcceptedKeyTypes +ssh-rsa
Example extract from my "~/.ssh/config":
Code: Select all
Host mikrotik1 mikrotik2 10.20.30.40
User admin
Port 22
Compression yes
TCPKeepAlive yes
NumberOfPasswordPrompts 1
ServerAliveInterval 60
StrictHostKeyChecking no
#Re-enable RSA SHA1 otherwise connection will fail (SHA1 depreciated)
PubkeyAcceptedKeyTypes +ssh-rsa
IdentityFile ~/.ssh/id_rsa
NOTE: OpenSSH etc have also sunset RSA & DSA keys and it is recommended to move all your keys over to ECDSA keys but none of my routers (RouterOS v6.49.10) appear to support ECDSA and when trying to load ECDSA it gives the following error:
Couldn't perform action - unable to load key file (wrong format?) ! (6)
Disabling the password after key restriction
If you want to disable the default of rejecting password SSH login's after loading SSH Keys, set the following to allow both Key & Interactive (password) login:
Code: Select all
/ip ssh set always-allow-password-login=yes
I hope this little tid bit saves a few bruised foreheads!