1. Generate a private and public key pair for use with the administrative user. This can be done from a linux box like so:
   Code: Select all

   ssh-keygen -t rsa -b 2048 -C '' -f myfirstsshkey

2. Ensure that the SSH server has "always-allow-password-login" set to "no"
   Code: Select all

   /ip ssh set always-allow-password-login=no

3. Upload the public key to the MikroTik device (you can place the same public key on all of your devices). You can use SFTP (SSH) or any number of other methods during your setup procedure.
4. Link the public key to the default admin user
   Code: Select all

   /user ssh-keys import public-key-file=myfirstsshkey.pub user=admin

5. Victory

ssh -i myfirstsshkey admin@rtr1

1. Use Putty Key Generator to Load "myfirstsshkey" (private key)
2. Click Save private key to save the private key in Putty's required format
3. Launch a new Putty session and on the left tree navigate to Connection -> SSH -> Auth. Click on Auth
4. Click Browse to the right of the text box underneath "Private key file for authentication" and navigate to the Putty formatted private key (let's assume you named it myfirstsshkey.ppk)
5. Navigate to Connection -> Data. Click on data and enter "admin" into the text box to the right of "Auto-login username"
6. Click on Session and enter the host name or IP of the router. Click Open (You could also save the session configuration so you don't have to reenter everything)

Is it possible to put a hashed password inside this script?

Is it possible to put a hashed password inside this script?

Read my post about SSH public key authentication above. You'll still have to provide the private key to the script but you can use file permissions to limit its exposure.

What about winbox access?

Use RADIUS authentication with unique password for each user. Then just delete his account.

Use RADIUS authentication with unique password for each user. Then just delete his account.

Normis, if the SXT could not access the radius, this should be a problem too.

Because, sometimes, the device is not connected to any AP. So, without communication with radius, would not be possible to go there (where the SXT is) and see whats is going on.

Then we are back to the problem that would be needed an admin account with a "default" password. Which is exactly what we don't want to have.

Imagine this:

we have a bunch of SXT.
Every SXT is "protected" by a random password, which is linked somehow to the customer database (customer code, or something like that)....
This password will only be retrieved if a employee can have access to the ERP from this company.

So, if a guy is working at this company, is allowed to retrieve this password.... but, what if he got fired ? He will not remember all passwords.

But, one sector of the company is more like, "trustable".
And want to have access without going to check the password. This will also be used to scripting.
So...

They made a script with a password as backdoor, only for this sector to use.
The problem is, password is plain text inside the config-script, and, this config script is used from anybody else to get access to this SXT.

Is it possible to put a hashed password inside this script?

I don't understand - the admin himsel will know the password? if yes, then let him add the password. after it is added, nobody will see it