Page 1 of 1
v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Tue Jul 19, 2011 3:29 am
by MartinT
After adding ssh-keys for user, this user is no more allowed to login via ssh by password. Tested from another RouterOS (simply ask for password again) and from Linux box ("Permission denied, please try again."). Confirmed in v5.4 too.
Another type of login looks working (console and mac-telnet tested).
Don't think it is so bad behaviour, but if this is "feature", users should be noticed somewhere (manual ?) and should have control over it.
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Tue Jul 19, 2011 3:57 am
by fewi
It is confirmed as a "feature".
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Thu Jul 21, 2011 12:45 pm
by fabsoft
it's a BUG!
all openssh system handle it correctly.
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Thu Jul 21, 2011 4:20 pm
by mrz
What is considered "correct handling"?
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Mon Aug 08, 2011 11:43 am
by szuwar
And what exactly that "feature" is doing?
making login via ssh worst and harder than any other openssh system ?
user should be able to configure whatever he wants only key or key/password logins - the default should be both
"correct handling" - means default behavior implemented in any other openssh system and considered by users as correct
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Thu Aug 11, 2011 11:35 pm
by jp
I'm using 5.6 and noticed similar ssh problems.
Setting up a rb750GL which comes with 5.2ish, I can not use SCP to update the firmware. Have to use FTP. This is regardless of wheter admin has a password assigned yet.
Updated to 5.6 and see the SSH problems discussed here. I don't use the older version, so I can't know for 5.5 or 5.2.
I also put it on a 433ah and see similar.
ssh with keys works and disables ssh access from that host. This isn't a feature. It should only disable access from a user at that host if it were a feature. All users at the remote host can't get in with a password after setting up a key on the MT. keys are for individual accounts on a host, not for the whole host and not for other hosts connecting to admin.
Here's an example where I setup a key on the MT to accept passwordless admin connections from my jp@huehuetenango account. After setting this up, I can not ssh in as admin from anywhere except that username on that host. Other accounts on the same machine also can not connect. Telnet, winbox, ftp, are not affected.
ptyler@huehuetenango:~> ssh admin@69.39.112.241
admin@69.39.112.241's password:
Permission denied, please try again.
admin@69.39.112.241's password:
Permission denied, please try again.
admin@69.39.112.241's password:
Permission denied (password).
ptyler@huehuetenango:~> exit
logout
huehuetenango:~ # exit
logout
jp@huehuetenango:~> ssh admin@69.39.112.241
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 5.6 (c) 1999-2011 http://www.mikrotik.com/
Property of Midcoast Internet Solutions 2075948277 or www.midcoast.com
Unauthorized access will be prosecuted.
All Access is logged.
[admin@squirrelap] > quit
interrupted
Connection to 69.39.112.241 closed.
jp@huehuetenango:~> exit
logout
Connection to 10.0.0.7 closed.
jp@travelmug:~> ssh admin@69.39.112.241
admin@69.39.112.241's password:
Permission denied, please try again.
admin@69.39.112.241's password:
Permission denied, please try again.
admin@69.39.112.241's password:
Permission denied (password).
jp@travelmug:~>
It is also worth mentioning as others have that using keys should not prevent password access; thats the way the old 4.x and 3.x routerOS works.
I use keys for automated access (backups locking and unlocking customers, things you can't do with snmp, etc...) and password access ssh is used for interactive staff use.
Also a bug related to this is that it does not log these failed ssh access attempts. This last problem inclines my mind to think it's not a feature.
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Mon Aug 15, 2011 5:23 pm
by rotten777
Is there a way to disable this feature?
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Mon Aug 15, 2011 5:26 pm
by fewi
Nope.
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Tue Aug 16, 2011 10:11 am
by janisk
change was made in 5.0rc2. Where changelog message explained - if ssh-key is set, logins using password are disabled. Feature is there, that if you feel like having keys for router login less secure option is not used. That is security measure.
We are considering different options for this, but currently it will stay as it is.
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Tue Aug 16, 2011 10:54 am
by MartinT
change was made in 5.0rc2. Where changelog message explained - if ssh-key is set, logins using password are disabled. Feature is there, that if you feel like having keys for router login less secure option is not used. That is security measure.
Thank you for pointing me to
CHANGELOG, I found it in 5.0beta5 changes (mentioned 5.0rc2 does not speak about ssh at all). IMHO it should be presented to users as feature, best place is
manual. Nice will be to give users control over it => feature request.
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Tue Aug 16, 2011 11:59 am
by mrz
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Tue Aug 16, 2011 3:08 pm
by rotten777
change was made in 5.0rc2. Where changelog message explained - if ssh-key is set, logins using password are disabled. Feature is there, that if you feel like having keys for router login less secure option is not used. That is security measure.
Thank you for pointing me to
CHANGELOG, I found it in 5.0beta5 changes (mentioned 5.0rc2 does not speak about ssh at all). IMHO it should be presented to users as feature, best place is
manual. Nice will be to give users control over it => feature request.
I second that as a feature request.
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Tue Aug 16, 2011 3:56 pm
by janisk
yes we are considering that and assessing consequences. At the moment you can add several certificates for each account, aslo, it is possible to add private key to log through ssh from one router to another with the key.
IMHO - password authentication alone is bad thing, should use key with authorisation.
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Tue Aug 16, 2011 7:34 pm
by jp
It's kinda foolish to block password ssh login (when keys are used), but still allow telnet and ftp access out-of-the-box if better-than-password security is indeed the goal. Since I can't scp a file, I'll ftp it instead.
It's a worthwhile option, but shouldn't replace the way it's been done.
I use the firewall to block ssh, telnet, and ftp from everywhere but my own networks. It's only a couple of lines to setup.
Re: v5.5 bug: after ssh-keys password login via ssh is block
Posted: Tue Aug 16, 2011 11:06 pm
by rotten777
yes we are considering that and assessing consequences. At the moment you can add several certificates for each account, aslo, it is possible to add private key to log through ssh from one router to another with the key.
IMHO - password authentication alone is bad thing, should use key with authorisation.
I agree but I have over 30 locations with Mikrotik routers and if I happen to somehow be without my laptop or home workstation, I don't have my DSA key handy to ssh in to fix problems. It limits my travel
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Wed Dec 28, 2016 9:09 am
by virtman
Hi,
I can't understand why this limitation is included. I agree to have available the option to "disable passwords when ssh-keys", but as an option.
So, please can you add the option for enable/disable this functionality?
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Wed Dec 28, 2016 9:24 am
by teamer
What RouterOS version are you using?
In contemporary ones
/ip ssh set always-allow-password-login=yes
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Wed Jan 04, 2017 10:14 am
by virtman
Hi Teamer,
Thanks a lot! This is that I need... and referenced at
http://wiki.mikrotik.com/wiki/Manual:IP/SSH
The problem is that isn't in Winbox, and it's poorly described.
Regards.
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Mon Nov 20, 2017 10:04 am
by asmpro
I find this behavior extremely strange. You should have some on/off switch for this feature you call it, or at least comply with the SSH protocol and not offering password authentication it this case.
Here is the output of debug openssh client session:
debug1: Authentications that can continue: publickey,password
Regards.
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Tue Oct 29, 2019 5:54 am
by LaKing
This "feature" does not really make sense.
At least webfig works with the password.
The workaround is to have an ssh user with keys set, and another ssh user with a password and no keys to be used with ssh.
.. Weird ...
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Tue Oct 29, 2019 11:55 am
by Chupaka
https://wiki.mikrotik.com/wiki/Manual:IP/SSH#Settings
always-allow-password-login (yes | no; Default: no)
Whether to allow password login at the same time when public key authorization is configured.
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Thu Aug 19, 2021 1:37 pm
by mr.incredible
I wish the guy that thought up this scheme could know how many hours of unnecessary wasted time he has caused to people all over the world.... and could compare it with how much time he saved people... which is probably none.
BTW
here's a oneliner to add your key to Mikrotik similar to ssh-copy-id: (from
https://stackoverflow.com/questions/688 ... 9#68846249)
ssh 192.168.88.1 "/file print file=mykey; file set mykey contents=\"`cat ~/.ssh/id_rsa.pub`\";/user ssh-keys import public-key-file=mykey.txt;/ip ssh set always-allow-password-login=yes"
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Wed Dec 06, 2023 11:27 pm
by milegrin
An aside but related issue with RouterOS & RSA keys. After a routine patch of my Linux machine, I was sent into a frenzy banging my head, many `ssh -vvvv` and copious searches unitl I eventually figured out why my SSH keys were no longer working. (This was a year or two ago but ran into it again when I deployed a new Mikrotik at home)
You need to explicitly re-enable the depreciated SHA1 RSA cipher "ssh_rsa" for RouterOS connections either in the global `/etc/ssh/ssh_config` (not ssh
d_config) or a user specific `~/.ssh/config` files. Add the following line to your connection stanza:
PubkeyAcceptedKeyTypes +ssh-rsa
Example extract from my `~/.ssh/config`:
Host mikrotik1 mikrotik2 10.20.30.40
User admin
Port 22
Compression yes
TCPKeepAlive yes
NumberOfPasswordPrompts 1
ServerAliveInterval 60
StrictHostKeyChecking no
#Re-enable RSA SHA1 otherwise connection will fail (SHA1 depreciated)
PubkeyAcceptedKeyTypes +ssh-rsa
IdentityFile ~/.ssh/id_rsa
Hopefully the RouterOS SSH code will get updated to a current support base as most everyone has removed support for insecure ciphers like SHA1.
I hope this little tid bit saves a few bruised foreheads!
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Thu Dec 14, 2023 3:18 pm
by Chupaka
Shouldn't you just use something like ed25519 key instead of ssh-rsa?.. They are supported already. Or even regenerate your key so it become ssh-rsa-512 instead of sha1-based (I can be wrong about that)? %)
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Wed Jan 10, 2024 9:51 am
by imatmtf
> Shouldn't you just use something like ed25519 key instead of ssh-rsa?
Not available in the long-term branch.
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Wed Jan 10, 2024 1:00 pm
by Chupaka
And ssh-rsa-512?
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Thu Jan 11, 2024 5:24 am
by imatmtf
The best solution would be to have ed25519 enabled in SSH also in the long-term branch.
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Thu Jan 11, 2024 5:43 am
by imatmtf
Oddly enough, rsa sha1 keys still work on the stable branch.
Re: v5.5 bug: after ssh-keys password login via ssh is blocked
Posted: Thu Jan 11, 2024 5:58 am
by imatmtf