G'day folks
First of all, I'd like to say thank you! for putting in this feature...
Now, just a little suggestion (not a nag or anything)
But wouldn't it rock (translation: be great) if you could retrieve the pub key from a radius server? then I wouldn't have to go manually configure my dsa key on 50 routers (c:
Just a thought.
Cheers
Shannon
Re: dsa keyed SSH
how to use SSH DSA keys? i can't find any documentation?
under "/user ssh-keys " is nothing and there is no .ssh/ in file. so how is it meant to be used?
under "/user ssh-keys " is nothing and there is no .ssh/ in file. so how is it meant to be used?
Generate a pair of DSA keys elsewhere (I am using OpenSSH's ssh-keygen), then copy the public key file to your MT(s). Import the public key file, and tie it to a username (part of the import command).
From that point on, when you SSH/SCP/SFTP to the router using that username, you can use DSA authentication with the private key you generated, rather than needing to use password authentication.
--Eric
From that point on, when you SSH/SCP/SFTP to the router using that username, you can use DSA authentication with the private key you generated, rather than needing to use password authentication.
--Eric
Spent a few mins and put up a wiki on the DSA stuff.
http://wiki.mikrotik.com/wiki/Use_SSH_t ... y_login%29
http://wiki.mikrotik.com/wiki/Use_SSH_t ... y_login%29
this is really good. thanks to changeip!
just a comment, with Mac OS X 10.4 it becomes even simplier, because the -i parameter defaults to the right file. i prefer the '@' ssh notation, one can e.g. just type:
ssh admin@192.168.1.1 "/interface print"
and gets
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R wlan1 wlan 0 0 1500
3 R lan bridge 0 0 1500
cool! :)
just a comment, with Mac OS X 10.4 it becomes even simplier, because the -i parameter defaults to the right file. i prefer the '@' ssh notation, one can e.g. just type:
ssh admin@192.168.1.1 "/interface print"
and gets
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R wlan1 wlan 0 0 1500
3 R lan bridge 0 0 1500
cool! :)
OK, tried that feature back some weeks ago when I first stumbled upon it. It just won't import my PuTTYgen-generated DSA-keys. Anybody succeeded with that?
Example key:
Best regards,
Christian Meis
Example key:
Code: Select all
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAACBALKgLFhnrWSe0zRXrGKg0Zfvj6sSNusNnIpxnokDyHAN
ccVZELtmNB+FNPtUVu0EI7KBONtO07oAF3D75CJoNPLHbE+bXYgVE+Lb/xWKj3UM
Mv5JTBZYlBHyhqixqPU7PNDLzdzX9nGbnyDMYKWGJLuIWrdrPadL42CdoGAQBwU5
AAAAFQD/+KF5AuQOH0/o9CqOlt5OoqcVwwAAAIAyJMfvEUqxY2njPZU7q9RkklR3
iXjk9cjaZYrw7HX2R/zWeMoprTuKKeDBS9TSPtBqIKQCABWI3SpRsdusLXpJrITL
Z6ADGLWziXVXabJiczntM92p0t5WuVq7TT9Ho+Z96mRqW+wxesPzzZen4Qa2gO8+
yJa9ZfNFXedl19xmEwAAAIAs4Ha3irU9qwNZlAxWjtekay4vFT9f0qnQmLuneKoZ
OMhmOc42rMZHC6cNlCPbQWlE7RO2w5AfO72WxXALyc2FT4UuRFhMcz8GfWul7HuW
Qam3GK5wXNRvByZnWYL+s+/4yaWed8c+Dnn6ydsTy5OONMKTL3ghsseGQ5wRreHO
KQ==
---- END SSH2 PUBLIC KEY ----
Christian Meis
Thanks for the article at <http://wiki.mikrotik.com/wiki/Use_SSH_t ... key_login)>.You try exporting it is a OpenSSH key using their menus ? I will try in a few and see if I can make those work too.
Thx,
Sam
However, I've stumbled across these (my) cockpit errors:
1) 'ssh-keygen -t dsa' on FC5 doesn't produce an importable key for RouterOS 2.9.30.
2) if you 'man ssh-keygen' on FC5, it says DSA keys must be 1024 bits in length, but setting -b 1024 doesn't produce a key ROS 2.9.30 will import.
3) 'ssh-keygen -t dsa" on FreeBSD 4.8-RELEASE-p23 also doesn't produce an importable key.
What is the command line and OS that generates a key acceptable to ROS 2.9.30?
Thanks in advance for your response(s).
rgds/ldv
ftp> put id_dsa_mikrotik.pubWhat filenames do you end up with on your generated keys? a .dsa and a .pub ? Which are you importing to MT ?
Below the sig is the transcript.
This is FC5.
Embarrass me!
rgds/ldv
[vaden@skopje .ssh2]$ ssh-keygen -t dsa -b 1024
Generating 1024-bit dsa key pair
27 o.oOo..oOo.o
Key generated.
1024-bit dsa, vaden@skopje.texoma.net, Sun Sep 24 2006 21:24:11 -0500
Passphrase :
Again :
Key is stored with NULL passphrase.
(You can ignore the following warning if you are generating hostkeys.)
This is not recommended.
Don't do this unless you know what you're doing.
If file system protections fail (someone can access the keyfile),
or if the super-user is malicious, your key can be used without
the deciphering effort.
Private key saved to /home/vaden/.ssh2/id_dsa_1024_a
Public key saved to /home/vaden/.ssh2/id_dsa_1024_a.pub
[vaden@skopje .ssh2]$ ls -al
total 64
drwx------ 3 vaden vaden 4096 Sep 24 21:24 .
drwx------ 34 vaden vaden 4096 Sep 24 18:45 ..
drwx------ 2 vaden vaden 4096 Aug 11 20:23 hostkeys
-rw------- 1 vaden vaden 880 Sep 24 21:24 id_dsa_1024_a
-rw-r--r-- 1 vaden vaden 749 Sep 24 21:24 id_dsa_1024_a.pub
-rw------- 1 vaden vaden 1550 Aug 9 05:44 id_rsa_2048_a
-rw-r--r-- 1 vaden vaden 538 Aug 9 05:44 id_rsa_2048_a.pub
-rw------- 1 vaden vaden 512 Sep 24 21:24 random_seed
[vaden@skopje .ssh2]$ ftp mosel.texoma.net
Connected to mosel.texoma.net.
220 mosel FTP server (MikroTik 2.9.30) ready
500 'AUTH': command not understood
500 'AUTH': command not understood
KERBEROS_V4 rejected as an authentication type
Name (mosel.texoma.net:vaden): vaden
331 Password required for vaden
Password:
230 User vaden logged in
Remote system type is UNIX.
ftp> put id_dsa_1024_a.pub
local: id_dsa_1024_a.pub remote: id_dsa_1024_a.pub
227 Entering Passive Mode (209,151,96,139,128,51).
150 Opening ASCII mode data connection for '/id_dsa_1024_a.pub'
226 ASCII transfer complete
763 bytes sent in 9.3e-05 seconds (8e+03 Kbytes/s)
ftp> quit
221 Closing
[vaden@skopje .ssh2]$
weird ... i just ran thru it again and here is the output of the working one (2.9.30):
This worked fine. Does your pub key look similiar format? If so, take a supout and send the pub key in a support ticket.
Sam
Code: Select all
%ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/snorris/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/snorris/.ssh/id_dsa.
Your public key has been saved in /home/snorris/.ssh/id_dsa.pub.
The key fingerprint is:
a1:43:7c:91:eb:26:11:1a:8b:85:a6:57:a6:xx:xx:xx snorris@vpxx6.changeip.com
%cat id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAIQ85I9Fzy9Gxz6Xls3WwUfHEiNoV4F76bwozxYXa9GljYZloh78
HlHDcS7MFA0hnHBEe9xhrt98eEmRS/JDY32i9MXDb/oDg9a+okjX4NL3wkCwunV6/q361qbuVQSK7+E+
mmLZoAExlPwoWxao4h3dw2QEql+fL1KhUNOkt6NNAAAAFQC7NYPP1apr0y8Eo3eDN1ZzKHyATQAAAIBN
V0lYkDav/EG5zY5KEqJA2RH8gnyacDOXocj5oqV/1JDjyjHZHc6c+zNPJZvTn8xF9E2PrVkFEhRZIfWZ
7JvXf68yM/NTEYfMkPil2WMucw45s9vKJUIqMpj7ZRw0oOGdzhHKsa1s31Z4CR08ENLILENJ/uih9l+5
mw/nZQl2eAAAAIAhJg68yR6gyuTrvbDV7XXyGbgpSTHm4DVbCW1V+c4KJRKrKjfFWKUZAeHkdftLoTfR
vIbdmPRLfLJrXNmvf6uytBa5iF6402Prnq0EqbkcdotUxJMY413aSI13B2ZhKdik2H/XjVG8askkh5Hm
dzEYzB12O7qLZ0Ja3NORiurbQA== snorris@vpxxx6.changeip.com
%ftp xx.xx.x.1
Connected to xx.xx.x.1.
220 cip FTP server (MikroTik 2.9.30) ready
Name (xx.xx.x.1:xxxxx): xxxx
331 Password required for xxxx
Password:
230 User xxxx logged in
Remote system type is UNIX.
ftp> binary
200 Type set to I
ftp> put id_dsa.pub
local: id_dsa.pub remote: id_dsa.pub
227 Entering Passive Mode (xx,xx,x,1,128,24).
150 Opening BINARY mode data connection for '/id_dsa.pub'
100% |**************************************************| 614 00:00 ETA
226 BINARY transfer complete
614 bytes sent in 0.00 seconds (488.68 KB/s)
ftp> quit
221 Closing
%ssh xxxx@xx.xx.x.1
xxxx@xx.xx.x.1's password:
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 2.9.30 (c) 1999-2006 http://www.mikrotik.com/
Hello, and welcome to MikroHome!
Terminal xterm detected, using multiline input mode
[xxxx@cip-office] > /user
[xxxx@cip-office] user> ssh-keys import file=id_dsa.pub
user: xxxx-ssh
[xxxx@cip-office] user>
Sam
<ACHTUNG---DISCLAIMER---YMMV>weird ... i just ran thru it again and here is the output of the working one (2.9.30):
<snip>..</snip>
This worked fine. Does your pub key look similiar format? If so, take a supout and send the pub key in a support ticket.
Sam
If I believed in the support fairy, I probably would
However, 'ssh-keygen -t dsa' and import with ROS 2.9.30 didn't work using the aforementioned releases of FreeBSD and Fedora, but a key generated just as you suggest using Centos 4.3 will import using WinBox.
Therefore, perhaps ROS 2.9.30 doesn't seem to support keys generated by FC5 (openssh.i386 4.3p2-4 installed).
There may be a switch setting or something else I missed.
FC5 also wants the permissions on the keys set to 600 whereas Centos 4.3 will run with the keys as generated with permission of 640 on id_dsa.pub.
YMMV. Mine wasn't very high
</ACHTUNG---DISCLAIMER---YMMV>
THANKS for a great wiki article and for contributing to the MikroTIk community.
rgds/ldv
what did work:
[vaden@catch22 .ssh]$ cat /etc/redhat-release
CentOS release 4.3 (Final)
[vaden@catch22 .ssh]$ sudo yum whatprovides ssh-keygen
openssh.x86_64 3.9p1-8.RHEL4.12 installed
Who is online
Users browsing this forum: gfunkdave, superreeen and 41 guests