MikroTik

Posted: **Wed Aug 06, 2008 10:24 pm**

Hello,
is there any way to configure mikrotik login "cisco style" - (username admin password 7 &^@bn@!BNM) ?
meaning configure it from console, adding username with followed encrypted password.
I would not like whoever configures it to know admin password
Thanks

Posted: **Thu Aug 07, 2008 11:28 am**

I don't understand - the admin himsel will know the password? if yes, then let him add the password. after it is added, nobody will see it

Posted: **Thu Aug 07, 2008 12:44 pm**

i believe what ngaleyev is trying to say, is that he would like to know if there is a way to add a user with administrator privileges, that will not be able to view the other administrators log in passwords.
I'll check it out now... if someone knows if this can be done, I'd be interested to know too.

Posted: **Thu Aug 07, 2008 12:47 pm**

but other admins are NOT able to see your password

Posted: **Thu Aug 07, 2008 1:30 pm**

That is true... my mistake!!!

Posted: **Thu Aug 07, 2008 3:15 pm**

I need temporary employees to program a lot of routers.
I would like them not to know full-access password.

Posted: **Thu Aug 07, 2008 3:18 pm**

I just got it...
I had a text file that they copy and paste into terminal.
Instead i will give them backup config file with passwords already preset.
Simple enough

Posted: **Thu Aug 07, 2008 3:30 pm**

backup file sometimes doesn't work on different hardware than it was made on.

Posted: **Thu Aug 07, 2008 3:51 pm**

I'll keep this in mind.
luckily all our routers will be the same hardware;

Posted: **Wed Apr 26, 2017 10:55 pm**

Imagine this:

we have a bunch of SXT.
Every SXT is "protected" by a random password, which is linked somehow to the customer database (customer code, or something like that)....
This password will only be retrieved if a employee can have access to the ERP from this company.

So, if a guy is working at this company, is allowed to retrieve this password.... but, what if he got fired ? He will not remember all passwords.

But, one sector of the company is more like, "trustable".
And want to have access without going to check the password. This will also be used to scripting.
So...

They made a script with a password as backdoor, only for this sector to use.
The problem is, password is plain text inside the config-script, and, this config script is used from anybody else to get access to this SXT.

Is it possible to put a hashed password inside this script?

Posted: **Thu Apr 27, 2017 6:46 am**

Why not just use SSH keys? When you link a public key to a user and have the always-allow-password-login to no you won't be able to login via password. By stealing the public key file you just get to access any device they install it on. You can keep the private key, well private. The only thing I didn't verify is if password auth is turned off even when no password is set on the user account. It for sure is if a password is configured, for your purposes that could be 1234. It wouldn't let you or them in.

Generate a private and public key pair for use with the administrative user. This can be done from a linux box like so:
Code: Select all
```
ssh-keygen -t rsa -b 2048 -C '' -f myfirstsshkey
```
Ensure that the SSH server has "always-allow-password-login" set to "no"
Code: Select all
```
/ip ssh set always-allow-password-login=no
```
Upload the public key to the MikroTik device (you can place the same public key on all of your devices). You can use SFTP (SSH) or any number of other methods during your setup procedure.

Link the public key to the default admin user

/user ssh-keys import public-key-file=myfirstsshkey.pub user=admin

Victory

This can be tested from a Linux box via:

ssh -i myfirstsshkey admin@rtr1

This can be tested from a Windows box via Putty:

Use Putty Key Generator to Load "myfirstsshkey" (private key)
Click Save private key to save the private key in Putty's required format
Launch a new Putty session and on the left tree navigate to Connection -> SSH -> Auth. Click on Auth
Click Browse to the right of the text box underneath "Private key file for authentication" and navigate to the Putty formatted private key (let's assume you named it myfirstsshkey.ppk)
Navigate to Connection -> Data. Click on data and enter "admin" into the text box to the right of "Auto-login username"
Click on Session and enter the host name or IP of the router. Click Open (You could also save the session configuration so you don't have to reenter everything)

No animals were hurt during this lab and for posterity this was tested on a hEX Gr3 running 6.38.5.

Posted: **Thu Apr 27, 2017 7:42 am**

Is it possible to put a hashed password inside this script?

Read my post about SSH public key authentication above. You'll still have to provide the private key to the script but you can use file permissions to limit its exposure.

Posted: **Thu Apr 27, 2017 2:40 pm**

Is it possible to put a hashed password inside this script?
Read my post about SSH public key authentication above. You'll still have to provide the private key to the script but you can use file permissions to limit its exposure.

What about winbox access?

Posted: **Thu Apr 27, 2017 2:42 pm**

Use RADIUS authentication with unique password for each user. Then just delete his account.

Posted: **Thu Apr 27, 2017 4:29 pm**

What about winbox access?

Real men use SSH and SNMPv3 authPriv????

Just kidding, I can't speak for Winbox as I simply hadn't had a need for it yet. Maybe because I'm a Cisco and Linux guy I've always just felt better at the command line. I do like the suggestion from Normis' regarding RADIUS. I've used MS NPS in Cisco land to control access to devices with it, also used the proprietary TACACS.

Posted: **Thu Apr 27, 2017 5:19 pm**

Use RADIUS authentication with unique password for each user. Then just delete his account.

Normis, if the SXT could not access the radius, this should be a problem too.

Because, sometimes, the device is not connected to any AP. So, without communication with radius, would not be possible to go there (where the SXT is) and see whats is going on.

Then we are back to the problem that would be needed an admin account with a "default" password. Which is exactly what we don't want to have.

Posted: **Thu Apr 27, 2017 5:34 pm**

Use RADIUS authentication with unique password for each user. Then just delete his account.
Normis, if the SXT could not access the radius, this should be a problem too.

Because, sometimes, the device is not connected to any AP. So, without communication with radius, would not be possible to go there (where the SXT is) and see whats is going on.

Then we are back to the problem that would be needed an admin account with a "default" password. Which is exactly what we don't want to have.

In that case you'll need either a password or an SSH key. Both need to be maintained. When an employee leaves it needs to be changed immediately. You can limit it's exposure by giving that password or key to as few people as possible as well as having different keys or passwords per device and only given to say a manager or owner. You also can limit this special case privileged account to only login from a particular IP address making it more difficult for them to access the device. An example would be make an accounted named "recovery" and require that it login from the core router. The core router can reach the RADIUS server so the admin logins normally there. They can then use the "recovery" account and password or key to access these down router. I'm not sure if MikroTik allows local console (serial) access when a user login is restricted by IP for use in the event of a completely down device.

Like all things in security if you have physical access to the gear it's basically game over at that point anyways.

It's important to combine policy and technical prowess and not rely to heavily on either. It's not feasible to secure something by technology alone for all use cases and it is impractical to rely on policy alone to protect you.

Posted: **Thu Jul 18, 2019 11:53 am**

Any updates on this one?

In the world of automation, it would be nice to generate a list of users.
I need to not know the passwords of the other users.

For most other network OS's we have, there is an option to paste the encrypted password.

Posted: **Thu Jul 18, 2019 12:19 pm**

Imagine this:

we have a bunch of SXT.
Every SXT is "protected" by a random password, which is linked somehow to the customer database (customer code, or something like that)....
This password will only be retrieved if a employee can have access to the ERP from this company.

So, if a guy is working at this company, is allowed to retrieve this password.... but, what if he got fired ? He will not remember all passwords.

But, one sector of the company is more like, "trustable".
And want to have access without going to check the password. This will also be used to scripting.
So...

They made a script with a password as backdoor, only for this sector to use.
The problem is, password is plain text inside the config-script, and, this config script is used from anybody else to get access to this SXT.

Is it possible to put a hashed password inside this script?

that's exactly what i want

Posted: **Thu Jul 18, 2019 12:55 pm**

and not to mention to have the user database in an export.

Posted: **Fri Jun 12, 2020 3:36 pm**

Exactly! I do not understand how in 2020's it is not yet possible to create a user with the encrypted version of his password.
I don't have to know the password of my colleagues when I install a router and I have to create their access!

Do not tell me that Radius is the right solution, when the router is isolated from the network you no longer know how to connect to it.

Posted: **Fri Jun 12, 2020 3:47 pm**

@ngaleyev, do you know that passwords are not static but can (and should) be changed anytime by its user?...

Or is that not wanted by your org?
Tip: you should always have at least 2 admin users configured (admin + company), in case the admin leaves the company, or suddenly dies in an accident or from a heart attack or so, or becomes insane or goes nuts...

Posted: **Fri Jun 12, 2020 4:22 pm**

It would all be so simple when the /export command would include an export of the users with their passwords (encrypted of course) and other attributes, just like all other config info.
Maybe in the past this was not a great idea because the passwords were stored in plaintext or at least in reversible encryption, so everyone getting hold of such an export could see the passwords (just like with a Cisco router).
However, by now all current versions store user passwords only as hashes, and exporting those hashes would not be a real problem.
Plus the added convenience is that the users can be added by importing that export and the people that do this do not get to see the actual password.

However, I installed the beta usermanager package on the v7 beta release and in /export it shows the user-manager user with its password IN PLAINTEXT.
So security awareness at MikroTik still has some way to go... I would have hoped that by now all passwords were stored only as hashes.

Posted: **Fri Aug 06, 2021 6:16 pm**

1 years later, does mikrotik implement this feature. It will be very helpful for me because not all mikrotik is program by me and we need to install all the admin user on every mikrotik and different model. If a feature in the cli can exist!

/user
add group=XXXXX name=XXXXXXXX password-ENC=ashugsdkjvnsdyguhrewyweriui734yqdn
add group=XXXXX name=YYYYYYYY password-ENC=wsdhfuir67iuoiltkrtwtyrty945634tgert46
add group=XXXXX name=ZZZZZZZZZ password-ENC=awtyerthyerthertywertuyjghkgkjgyjgkhj

so you can add all the user without know the password in clear text and when you type in winbox, you need the decrypted password

or any other solution?

Posted: **Sat Sep 25, 2021 6:09 pm**

I don't understand - the admin himsel will know the password? if yes, then let him add the password. after it is added, nobody will see it

Plenty of reasons for the Cisco style approach.
For instance I want to copy someone's account to a different router. I don't know his password. It /user export showed the password hash in a readable form and I could set it on the other side, all is good.
I was ordered to change the password to all routers in the ISP. I know the new password, but I don't want to type that password anywhere.
I ended up forced to have the password in the clear on a python program.
Ideally I want to set the password in one router, get the hash and use that in my script.
All other networking equipment we use support this approach. Datacom (datacom.ind.br) and HP/3COM (luckly we don't use Cisco).

MikroTik

encrypted password for mikrotik config

encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config

Re: encrypted password for mikrotik config