Use SSH to execute commands (public/private key login): Difference between revisions
(22 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
==Configuration== | ==Configuration== | ||
The following example uses RSA key pair, this will allow you to run scripts and login from a remote machine against RouterOS using Public/Private key authentication. | |||
===Host to RouterOS=== | ===Host to RouterOS=== | ||
Note: commands are run using FreeBSD - should be similar on other platforms. | |||
'''1)''' Create a key using ssh-keygen | '''1)''' Create a key using ssh-keygen | ||
<pre>%ssh-keygen -t | <pre>%ssh-keygen -t rsa</pre> | ||
This creates | This creates an RSA key pair that is compatible with Mikrotik. | ||
<pre>Generating public/private | <pre>Generating public/private RSA key pair. | ||
Enter file in which to save the key (/home/user/.ssh/ | Enter file in which to save the key (/home/user/.ssh/id_rsa): | ||
Enter passphrase (empty for no passphrase): | Enter passphrase (empty for no passphrase): | ||
Enter same passphrase again: | Enter same passphrase again: | ||
Your identification has been saved in /home/user/.ssh/ | Your identification has been saved in /home/user/.ssh/id_rsa. | ||
Your public key has been saved in /home/user/.ssh/ | Your public key has been saved in /home/user/.ssh/id_rsa.pub. | ||
The key fingerprint is: | The key fingerprint is: | ||
f0:d0:xx:ee:07:xx:bb:a8:xx:9e:e1:fe:77:48:xx:xx user@vp6.example.com | f0:d0:xx:ee:07:xx:bb:a8:xx:9e:e1:fe:77:48:xx:xx user@vp6.example.com | ||
Line 23: | Line 22: | ||
{{Note | Make sure to leave the passphrase blank if you are going to be using this key in automated scripts. You do not want to be prompted for a password. Just make sure you keep your private key private (enough said?)!}} | {{Note | Make sure to leave the passphrase blank if you are going to be using this key in automated scripts. You do not want to be prompted for a password. Just make sure you keep your private key private (enough said?)!}} | ||
{{Warning | If ssh-keygen generates key in openssh format, then add "-m pem" to generate key in PEM format, otherwise you will not be able to import it in ROS!}} | |||
'''2)''' Upload the generated key (public) to the target device: | '''2)''' Upload the generated key (public) to the target device: | ||
Line 35: | Line 36: | ||
Password: | Password: | ||
ftp> put | ftp> put id_rsa.pub | ||
226 ASCII transfer complete | 226 ASCII transfer complete | ||
Line 44: | Line 45: | ||
'''3)''' Now from either Winbox or terminal mode you need to import the key. An example using terminal mode is given. | '''3)''' Now from either Winbox or terminal mode you need to import the key. An example using terminal mode is given. | ||
<pre>[admin@mikrotik]> user ssh-keys import file= | <pre>[admin@mikrotik]> user ssh-keys import public-key-file=id_rsa.pub | ||
user: admin-ssh | user: admin-ssh | ||
</pre> | </pre> | ||
Line 51: | Line 52: | ||
Now that you've created a key pair and imported the public key into RouterOS you can start running commands from your remote machine. | Now that you've created a key pair and imported the public key into RouterOS you can start running commands from your remote machine. | ||
{{Warning | Starting from OpenSSH 8.8 RSA signatures using the SHA-1 hash algorithm is disabled by default, therefore to authorize from a host to RouterOS v6 using PKI, use the additional setting '''-o 'PubkeyAcceptedKeyTypes +ssh-rsa'''' or update a router to RouterOS v7. }} | |||
{{ Note | If you wish to be able to run '''ssh''' / '''ssh-exec''' commands from one RouterOS device to another, follow the additional steps below}} | {{ Note | If you wish to be able to run '''ssh''' / '''ssh-exec''' commands from one RouterOS device to another, follow the additional steps below}} | ||
===RouterOS to RouterOS=== | ===RouterOS to RouterOS=== | ||
Line 59: | Line 65: | ||
'''5)''' Create a new user and assign the previously created group: | '''5)''' Create a new user and assign the previously created group: | ||
/user add name=remote group=remote | /user add name=remote group=remote password=Sup3rStr0ngPassw0rd | ||
'''6)''' Upload private and public keys on the device, from which you wish to use ssh commands with | '''6)''' Upload private and public keys on the device, from which you wish to use ssh commands with RSA authentication | ||
'''7)''' Import | '''7)''' Import both keys for the user: | ||
/user ssh-keys private import user=remote private-key-file=mykey public-key-file=mykey.pub passphrase="" | /user ssh-keys private import user=remote private-key-file=mykey public-key-file=mykey.pub passphrase="" | ||
Line 71: | Line 77: | ||
Now you should be able to authenticate from this device to any other device which has a user with the imported public key | Now you should be able to authenticate from this device to any other device which has a user with the imported public key | ||
{{ | {{ Note | <nowiki>You can disable password login for users with SSH-KEY imported using "/ip ssh set always-allow-password-login=no"</nowiki>}} | ||
===Save a Host key=== | |||
Since v6.45.1(stable) RouterOS allows user to save a ssh host key after devices reset. Use the following configuration line | |||
<pre> | |||
/system reset-configuration keep-users=yes | |||
</pre> | |||
=Escaping shell special characters= | =Escaping shell special characters= | ||
For executing a simple command with ssh you have to enclose command with quotes to tell shell which characters belong to single shell command parameter. If you use double quotes then you have to escape all inside double quotes with backslash \. | For executing a simple command with ssh you have to enclose command with quotes to tell shell which characters belong to single shell command parameter. If you use double quotes then you have to escape all inside double quotes with backslash \. | ||
<pre>%ssh -l admin-ssh -i /home/user/.ssh/ | <pre>%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 ":put \"hello\""</pre> | ||
Another special character which need escaping is single dollar sign $ because it's used for variable handling by shell like bash or sh. | Another special character which need escaping is single dollar sign $ because it's used for variable handling by shell like bash or sh. | ||
<pre>%ssh -l admin-ssh -i /home/user/.ssh/ | <pre>%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 ":for i from=1 to=10 do={:put \$i}"</pre> | ||
All other special characters evaluated by shell have to be escaped. | All other special characters evaluated by shell have to be escaped. | ||
Line 85: | Line 98: | ||
=Examples= | =Examples= | ||
<pre>%ssh -l admin-ssh -i /home/user/.ssh/ | <pre>%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 "/system gps monitor" | ||
date-and-time: mar/18/2006 08:30:39 | date-and-time: mar/18/2006 08:30:39 | ||
longitude: "W 117 00' 00''" | longitude: "W 117 00' 00''" | ||
Line 93: | Line 106: | ||
valid: yes</pre> | valid: yes</pre> | ||
<pre>%ssh -l admin-ssh -i /home/user/.ssh/ | <pre>%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 "/routing bgp peer print status" | ||
Flags: X - disabled | Flags: X - disabled | ||
0 remote-address=xxx.xxx.129.196 remote-as=65333 multihop=yes | 0 remote-address=xxx.xxx.129.196 remote-as=65333 multihop=yes | ||
Line 101: | Line 114: | ||
uptime=1w1d10h54m55s prefix-count=68 refresh-capability=yes</pre> | uptime=1w1d10h54m55s prefix-count=68 refresh-capability=yes</pre> | ||
<pre>%ssh -l admin-ssh -i /home/user/.ssh/ | <pre>%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 "/ip firewall connection print count-only" | ||
66566 | 66566 | ||
</pre> | </pre> | ||
=DSA deprecated= | =DSA deprecated= | ||
Since OpenSSH 7.0 version DSA public key algorithm is considered weak and is [http://www.openssh.com/legacy.html deprecated]. To be able to use DSA it needs to be enabled explicitly. Put '''PubkeyAcceptedKeyTypes +ssh-dss ''' to '''~/.ssh/config ''' file. | Since OpenSSH 7.0 version DSA public key algorithm is considered weak and is [http://www.openssh.com/legacy.html deprecated]. To be able to use DSA it needs to be enabled explicitly. Put '''PubkeyAcceptedKeyTypes +ssh-dss ''' to '''~/.ssh/config ''' file. | ||
Also to be able to connect to older versions of RouterOS you may need to use additional ssh parameters '''-o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-dss''' | Also to be able to connect to older versions of RouterOS you may need to use additional ssh parameters '''-o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-dss''' | ||
Otherwise, use RSA. | |||
=See also= | =See also= | ||
Line 115: | Line 129: | ||
*[[API PHP class]] | *[[API PHP class]] | ||
*[[Using SSH for system backup]] | *[[Using SSH for system backup]] | ||
*[[Manual:System/SSH client]] | |||
*[[Manual:IP/SSH]] | |||
[[Category:Scripting]] | [[Category:Scripting]] |
Latest revision as of 16:36, 11 March 2024
Configuration
The following example uses RSA key pair, this will allow you to run scripts and login from a remote machine against RouterOS using Public/Private key authentication.
Host to RouterOS
Note: commands are run using FreeBSD - should be similar on other platforms.
1) Create a key using ssh-keygen
%ssh-keygen -t rsa
This creates an RSA key pair that is compatible with Mikrotik.
Generating public/private RSA key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: f0:d0:xx:ee:07:xx:bb:a8:xx:9e:e1:fe:77:48:xx:xx user@vp6.example.com
Note: Make sure to leave the passphrase blank if you are going to be using this key in automated scripts. You do not want to be prompted for a password. Just make sure you keep your private key private (enough said?)!
Warning: If ssh-keygen generates key in openssh format, then add "-m pem" to generate key in PEM format, otherwise you will not be able to import it in ROS!
2) Upload the generated key (public) to the target device:
Example: Upload key via FTP
%ftp 10.20.1.1 Connected to 10.20.1.1. 220 mikrotik FTP server (MikroTik 2.9.16) ready Name (10.20.1.1:user): admin 331 Password required for admin Password: ftp> put id_rsa.pub 226 ASCII transfer complete ftp> exit
3) Now from either Winbox or terminal mode you need to import the key. An example using terminal mode is given.
[admin@mikrotik]> user ssh-keys import public-key-file=id_rsa.pub user: admin-ssh
The user field above determines which user account will be logged in when you pass the key. For security reasons you should never use the 'admin' account (you knew that right?). Create a separate user account.
Now that you've created a key pair and imported the public key into RouterOS you can start running commands from your remote machine.
Warning: Starting from OpenSSH 8.8 RSA signatures using the SHA-1 hash algorithm is disabled by default, therefore to authorize from a host to RouterOS v6 using PKI, use the additional setting -o 'PubkeyAcceptedKeyTypes +ssh-rsa' or update a router to RouterOS v7.
Note: If you wish to be able to run ssh / ssh-exec commands from one RouterOS device to another, follow the additional steps below
RouterOS to RouterOS
4) Create a new group with policies:
/user group add name=remote policy=ssh,read,write
5) Create a new user and assign the previously created group:
/user add name=remote group=remote password=Sup3rStr0ngPassw0rd
6) Upload private and public keys on the device, from which you wish to use ssh commands with RSA authentication
7) Import both keys for the user:
/user ssh-keys private import user=remote private-key-file=mykey public-key-file=mykey.pub passphrase=""
Now you should be able to authenticate from this device to any other device which has a user with the imported public key
Note: You can disable password login for users with SSH-KEY imported using "/ip ssh set always-allow-password-login=no"
Save a Host key
Since v6.45.1(stable) RouterOS allows user to save a ssh host key after devices reset. Use the following configuration line
/system reset-configuration keep-users=yes
Escaping shell special characters
For executing a simple command with ssh you have to enclose command with quotes to tell shell which characters belong to single shell command parameter. If you use double quotes then you have to escape all inside double quotes with backslash \.
%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 ":put \"hello\""
Another special character which need escaping is single dollar sign $ because it's used for variable handling by shell like bash or sh.
%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 ":for i from=1 to=10 do={:put \$i}"
All other special characters evaluated by shell have to be escaped.
Examples
%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 "/system gps monitor" date-and-time: mar/18/2006 08:30:39 longitude: "W 117 00' 00''" latitude: "N 33 0' 00''" altitude: "200.199997m" speed: "0.185200 km/h" valid: yes
%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 "/routing bgp peer print status" Flags: X - disabled 0 remote-address=xxx.xxx.129.196 remote-as=65333 multihop=yes in-filter=cymru-in out-filter=cymru-out route-reflect=no hold-time=3m ttl=60 tcp-md5-key="" remote-id=xxx.xxx.129.196 remote-hold-time=3h used-hold-time=3m used-keepalive-time=1m state=established uptime=1w1d10h54m55s prefix-count=68 refresh-capability=yes
%ssh -l admin-ssh -i /home/user/.ssh/id_rsa 10.20.1.1 "/ip firewall connection print count-only" 66566
DSA deprecated
Since OpenSSH 7.0 version DSA public key algorithm is considered weak and is deprecated. To be able to use DSA it needs to be enabled explicitly. Put PubkeyAcceptedKeyTypes +ssh-dss to ~/.ssh/config file.
Also to be able to connect to older versions of RouterOS you may need to use additional ssh parameters -o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-dss
Otherwise, use RSA.