MikroTik

Ok I have finally given up on this. When executing the /system upgrade upgrade-package-source cmd, it will prompt you for a

[admin@Mikrotik] > /system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate
password: <- THIS IS THE PART I AM HAVING TROUBLES SCRIPTING BELOW AND THERE IS NO SET PASSWORD OPTION

Here is the issue. There is no cmd to add/edit/anything the password during or after. This makes scripting the password impossible so far. You can only edit the name and the source. If you copy and paste -

/system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate
p4$$w0RD

into the terminal, this works fine. But put that same code into /system script and it does not work. Anyone have any ideas? Here is my current (not working) script where I attempted to use \r\n. I've tried several variations, including opening the created script in the gui and putting the password on line 2 -

/system script add name=pkgsource source={/system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate \r\n p4$$w0RD}


Here what I am trying to push from start to finish if anyone is interested. It basically adds 2 scripts. The first sets the auto update server, the second checks for firmware updates and installs if necessary. If you tell me I should just copy and paste in the cmd line, I'll tell you I'm dealing with over 300 routers so that's not an option, -

#Remove Package Source Entry
foreach i in=[/system upgrade upgrade-package-source find] do={/system upgrade upgrade-package-source remove $i;};
#Remove All Scripts
foreach i in=[/system script find] do={/system script remove $i;};
#Upgrade Package Source
/system script add name=pkgsource source={/system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate \r\n p4$$w0RD}
#Upgrade Script
/system script add name=upgrade source={/system upgrade refresh; :delay 10; :if ([/system upgrade get [/system upgrade find source=1.1.1.1] status]!="installed") do={/system upgrade download-all reboot-after-download=yes}}
#Run Upgrade Scripts
/system script run pkgsource
/system script run upgrade

So there's no one in here that knows how to script the "/system upgrade upgrade-package-source" command where it asks for the password: ?

I don't think you can script it internally. Bad oversight by MT, definitely contact support.

As a workaround, don't use the internal scripts or API but use an external host that can push communication by faking out a terminal session. Net::SSH::Perl should work, or even just a simple solution using expect.

Thanks for the reply. We did get it to work by pushing it as into /system/scripts using the API. But 4.6 seems to have broken that. We used to be able to run it from /system scripts just like this with the password on a new line -

/system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate
p4ssw0RD

Now our app is using pure SSH with a line by line txt file. We would have to make a custom EXPECT to automate the upgrades. Not that big of a deal, but very frustrating. You should be able to script every function of this router. I can also see running /system/reboot as being a problem now as well. I don't know how many other cmds have this issue. Anyone else with suggestions? Mirotik, any chance we can get this changed in a future release?

through API does not ask anything, just reboots.

Ok, so how do you get it to do that through the terminal and not using the API? -

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 4.6 (c) 1999-2010 http://www.mikrotik.com/


[admin@Mikrotik] > /system reboot
Reboot, yes? [y/N]:

create a script with '/system reboot' command, and run that script from CLI =)

Ok, so how do you get it to do that through the terminal and not using the API? -


[admin@Mikrotik] > /system reboot
Reboot, yes? [y/N]:

in api you get

!done

and then router goes for reboot.

I still haven't got an answer on how to do this "with out" the API. Chupaka, your system does not work as per below. It still asks for a y/N reply just like the password: reply request from my first post -

[admin@Mikrotik] > /system script run reboot
Reboot, yes? [y/N]:

he1ium,

I've been using /system reboot in scripts every since v3 with no problems at all. Did you follow Chupaka's advice exactly? Here's a breakdown (just for you):

From the CLI: You router should reboot after running these 2 commands.

Note: Make sure your RouterOS user's group has the reboot policy enabled.

in future releases upgrade-package-source API behaviour will be changed, it will accept password as an argument. Behaviour in CLI will not change. Just wait for new releases.

dssmiktik,
Yes I have tried just like Chupaka. It still asks for y/N just like the screen copy. This is v.4, are you still using v.3?

janisk,
This is sad What about other commands that have the same issue in the CLI? I just don't understand why the password would not be an option/variable using the CLI. This makes life really frustrating when you are dealing with 300+ locations. Thanks at least for an answer even if it's not the one I wanted

if you connect through CLI, and issue commands, then commands are saved into command history, from where they can be retrieved in later logins. If history will sport passwords and users for other routers, for certificates etc. that would be serious security problem.

we can enable these arguments in API, as there is no command history

dssmiktik,
Yes I have tried just like Chupaka. It still asks for y/N just like the screen copy. This is v.4, are you still using v.3?

Currently I'm using v4.6 with no problems. I've been doing a system reboots via scripts with no user interaction required since about v3.20 or so through v4.6.

Could you post exactly what you're typing at the command-line or how your running the commands?

OK, I have found something interesting. The script works on the RB1000 router but not on an RB493AH. Any thoughts?

here is the script -

system reboot;
y;

here is the script -

system reboot;
y;

I can understand your frustration with the upgrade-package-source issue, however I'm not sure you are following the posted steps. Your script is not the same as what I instructed you to do.

Please follow these instructions exatly (even copy and paste them would work). Your router will reboot.

Janisk,
Your theory doesn't quite make sense to me.

if you connect through CLI, and issue commands, then commands are saved into command history, from where they can be retrieved in later logins. If history will sport passwords and users for other routers, for certificates etc. that would be serious security problem.

What about these commands:
- /tool fetch address=<ip> user=<user> password=<pass> -- this is saved in the history
- /ppp secret set <name> password=<pass> - this is saved in the history
- /user set <user> password=<pass> - this is saved in the history
- /ip hotspot user set <user> password=<pass> - this is saved in the history

Why not rely on the 'sensitive' permission on the user to exclude them for seeing passwords? Ultimately, you have control over what gets saved in the RouterOS history, why not just remove the password field from the history data?

Just a thought.

maybe, router's password is a bit more important than user's password? =)

when one router of your network is compromised that is bad, but if by getting into one router someone could gain access to other router, and that is not acceptable.

dssmiktik,
Thanks for your help. I tried several variations including the one you posted. Mikrotik has since then admitted it is an issue with the 493AH model. Nuff said.

could not get what with the specific RouterBOARD model mentioned there, but from API it is not possible to set up rule.
*) api - can supply password to '/system/upgrade/upgrade-package-source/add';

could not get what with the specific RouterBOARD model mentioned there, but from API it is not possible to set up rule.
*) api - can supply password to '/system/upgrade/upgrade-package-source/add';

not, or now possible?

sorry - it is possible.

when one router of your network is compromised that is bad, but if by getting into one router someone could gain access to other router, and that is not acceptable.

I know this thread is super old, But this still annoys me to no end.
Why does the "/system upgrade upgrade-package-source" even use a USER at all? The "/tool bandwidth-server" doesn't use a USER.

My only guess why, is because the "/system upgrade" service needs to use FTP services to download the files from the central router.
It also uses the WinBox port and service, meaning if you want to use this service to upgrade routers over the internet you need to have the WinBox port and service exposed to the internet.
The final question it comes down to is, why is the "/system upgrade" service designed like this at all? It is a security risk if used incorrectly and it is overly complicated to setup correctly.

Assuming you want to use this over the internet: Best you can do to mitigate these issue is to make a user that doesn't have write permission (only "winbow, read, ftp" permissions), set an IP-address whitelist on all other users on the router, and if able a time-scheduled firewall rule to only open up this within a specific time window.

Really hoping a new version of the "/system upgrade" service will come with version 7.x, as this is just painful.

See also: viewtopic.php?f=2&t=26108