Recent OpenSSH client fails to log in
Posted: Wed Dec 06, 2023 11:34 pm
I have noticed a number of posts regarding SSH keys failing etc etc.. After a routine patch of my Linux machine, I was sent into a frenzy banging my head, many `ssh -vvvv` and copious searches unitl I eventually figured out why my SSH keys were no longer working. (This was a year or three ago but ran into it again when I deployed a new Mikrotik at home)
You need to explicitly re-enable the depreciated SHA1 RSA cipher "ssh_rsa" for RouterOS connections either in the global `/etc/ssh/ssh_config` (not sshd_config) or a user specific `~/.ssh/config` files. Add the following line to your connection stanza: (See my edit below)
Example extract from my `~/.ssh/config`:
EDIT: After writing this, I realised my Linux box was using old RSA keys that were generated a few years ago using old ciphers and causing this error. Generating new RSA keys appears to have fixed this issue for me.
NOTE: OpenSSH etc have also sunset RSA & DSA keys and recommended to move over to ECDSA keys but none of my routers (RouterOS v6.49.10) appear to support ECDSA giving the following error:
Disabling the password after key restriction
If you want to disable the default of rejecting password SSH login's after loading SSH Keys, set the following to allow both Key & Interactive (password) login:
I prefer setting this just in case my keys go wonky and I need to access my routers via SSH to fix.
I hope this little tid bit saves a few bruised foreheads!
You need to explicitly re-enable the depreciated SHA1 RSA cipher "ssh_rsa" for RouterOS connections either in the global `/etc/ssh/ssh_config` (not sshd_config) or a user specific `~/.ssh/config` files. Add the following line to your connection stanza: (See my edit below)
Code: Select all
PubkeyAcceptedKeyTypes +ssh-rsa
Example extract from my `~/.ssh/config`:
Code: Select all
Host mikrotik1 mikrotik2 10.20.30.40
User admin
Port 22
Compression yes
TCPKeepAlive yes
NumberOfPasswordPrompts 1
ServerAliveInterval 60
StrictHostKeyChecking no
#Re-enable RSA SHA1 otherwise connection will fail (SHA1 depreciated)
PubkeyAcceptedKeyTypes +ssh-rsa
IdentityFile ~/.ssh/id_rsa
NOTE: OpenSSH etc have also sunset RSA & DSA keys and recommended to move over to ECDSA keys but none of my routers (RouterOS v6.49.10) appear to support ECDSA giving the following error:
Couldn't perform action - unable to load key file (wrong format?) ! (6)
Disabling the password after key restriction
If you want to disable the default of rejecting password SSH login's after loading SSH Keys, set the following to allow both Key & Interactive (password) login:
Code: Select all
/ip ssh set always-allow-password-login=yes
I hope this little tid bit saves a few bruised foreheads!