Page 1 of 1
How do you use ssh agent forwarding on the routeros ssh client?
Posted: Thu Nov 15, 2018 7:35 pm
by minfrin
Hi all,
I have routerboard B, that I need to ssh to via routerboard A. All user accounts are protected by SSH keys.
I am struggling to get ssh agent forwarding to work. When I log into routerboard A I can log into successfully, but when I log into routerboard B I am asked for a password, when I should log in automatically using agent forwarding.
The AllowAgentForwarding option on the sshd server makes this happen, how do I switch this on?
Regards,
Graham
--
Re: How do you use ssh agent forwarding on the routeros ssh client?
Posted: Fri Nov 16, 2018 1:37 am
by lambert
It is not an option.
The options are:
/ip ssh set
Change properties of one or several items.
always-allow-password-login -- allow password login when public key authorization is configured
forwarding-enabled -- allows clients to connect to remote ports from server
host-key-size -- RSA key size when host key ir regenarated
strong-crypto -- use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones
I suppose you could port forward to the second router and connect to it directly from your workstation on the non-standard port, but that may not be allowed due to management policy.
Re: How do you use ssh agent forwarding on the routeros ssh client?
Posted: Fri Nov 16, 2018 12:43 pm
by minfrin
How do I get this supported by Mikrotik?
We have a strict no password policy, and the inability to forward keys make it difficult for us to enforce that policy.
Re: How do you use ssh agent forwarding on the routeros ssh client?
Posted: Fri Nov 16, 2018 3:04 pm
by janisk
use SSH ProxyCommand to set up SSH login to hosts that are behind the other SSH host.
Re: How do you use ssh agent forwarding on the routeros ssh client?
Posted: Mon Nov 19, 2018 12:18 pm
by minfrin
Unfortunately port forwarding (whether using the command line or config) only allows you to jump one step past a mikrotik, and is therefore not useful in a secure environment.
Can you confirm when SSH agent forwarding will be supported?
Re: How do you use ssh agent forwarding on the routeros ssh client?
Posted: Mon Nov 19, 2018 7:01 pm
by lambert
If you don't want to wait, VPNs, with as much crypto as SSH, are available now. I have run VPNs inside VPNs to get inside multiple layers of firewalls.
Re: How do you use ssh agent forwarding on the routeros ssh client?
Posted: Fri Mar 22, 2019 4:39 am
by kiwibrew
This is also important to me. Since shifting to 100% keys this has made it very, very difficult to work with some VPN-connected devices.
Re: How do you use ssh agent forwarding on the routeros ssh client?
Posted: Fri Mar 22, 2019 7:52 am
by HouleJm
Hi all,
I have routerboard B, that I need to ssh to via routerboard A. All user accounts are protected by SSH keys.
I am struggling to get ssh agent forwarding to work. When I log into routerboard A I can log into successfully, but when I log into routerboard B I am asked for a password, when I should log in automatically using agent forwarding.
The AllowAgentForwarding option on the sshd server makes this happen, how do I switch this on?
Regards,
Graham
--
It allows you to use your local SSH keys instead of leaving keys without passphrases sitting on your server.
Re: How do you use ssh agent forwarding on the routeros ssh client?
Posted: Fri Mar 22, 2019 5:21 pm
by eworm
You can use your Mikrotik devices as Jumphost. Just search for this keyword for details.
Example for openssh command line client:
ssh -J Mikrotik-A Mikrotik-B
You can use a chain with more than one jumphost.
Re: How do you use ssh agent forwarding on the routeros ssh client?
Posted: Sat Mar 23, 2019 1:25 pm
by HouleJm
Let's configure and test SSH forwarding using github as remote service to pull our code into the host
MyBKExperience.