Manual:IP/SSH: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
 
(10 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Versions|v5}}
 
__TOC__
__TOC__


Line 7: Line 7:


==Settings==
==Settings==
{| cellpadding="2"
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption
|-
|style="border-bottom:1px solid gray;" valign="top"|'''forwarding-enabled''' ''(no|yes default:no)''
|style="border-bottom:1px solid gray;" valign="top"|controls ssh port forwarding
|-
|style="border-bottom:1px solid gray;" valign="top"|'''always-allow-password-login''' ''(no|yes default:no)''
|style="border-bottom:1px solid gray;" valign="top"|controls ssh authentication methods, if set to yes, does not remove form allowed methods password_login
|-
|style="border-bottom:1px solid gray;" valign="top"|'''export-host-key'''
|style="border-bottom:1px solid gray;" valign="top"|exports router private RSA and DSA key
|-
|style="border-bottom:1px solid gray;" valign="top"|'''import-host-key'''
|style="border-bottom:1px solid gray;" valign="top"|replace DSA or RSA with key provided for import. Be aware that previously imported ssh keys might stop working after key change.
|-
|style="border-bottom:1px solid gray;" valign="top"|'''regenerate-host-key'''
|style="border-bottom:1px solid gray;" valign="top"|generated new set of private keys (DSA and RSA) on the router and replaces current ones in use. Be aware that previously imported ssh keys might stop working after key change.
|-
|style="border-bottom:1px solid gray;" valign="top"|'''strong-crypto''' ''(no|yes default:no)''
|style="border-bottom:1px solid gray;" valign="top"| Introduces following changes in ssh configuration:
* prefer 256 and 192 bit encryption instead of 128 bits
* disable null encryption
* prefer sha256 for hashing instead of sha1
* disable md5
* use 2048bit prime for Diffie Hellman exchange instead of 1024bit


|}
 
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
 
{{Mr-arg-table
|arg=allow-none-crypto
|type=yes{{!}}no
|default=no
|desc=Whether to allow connection if cryptographic algorithms are set to none.
}}
 
{{Mr-arg-table
|arg=always-allow-password-login
|type=yes {{!}} no
|default=no
|desc=Whether to allow password login at the same time when public key authorization is configured.
}}
 
{{Mr-arg-table
|arg=forwarding-enabled
|type=both {{!}} local {{!}} no {{!}} remote
|default=no
|desc=Allows to control which SSH forwarding method to allow:
* <var>no</var> - SSH forwarding is disabled;
* <var>local</var> - Allow SSH clients to originate connections from the server(router), this setting controls also dynamic forwarding;
* <var>remote</var> - Allow SSH clients to listen on the server(router) and forward incoming connections;
* <var>both</var> - Allow both local and remote forwarding methods.
}}
 
 
{{Mr-arg-table
|arg=host-key-size
|type=1024 {{!}} 1536 {{!}} 2048 {{!}} 4096 {{!}} 8192
|default=2048
|desc=What RSA key size to use when host key is being regenerated.
}}
 
{{Mr-arg-table-end
|arg=strong-crypto
|type=yes {{!}} no
|default=no
|desc=Use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones:
* prefer 256 and 192 bit encryption instead of 128 bits;
* disable null encryption;
* prefer sha256 for hashing instead of sha1;
* disable md5;
* use 2048bit prime for Diffie Hellman exchange instead of 1024bit.
}}
 
'''Commands'''
 
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
 
{{Mr-arg-ro-table
|arg=export-host-key
|type=key-file-prefix
|desc=Export public and private RSA/DSA keys to files. Command takes one parameter:
* '''key-file-prefix''' - used prefix for generated files, for example, prefix 'my' will generate files 'my_rsa', 'my_rsa.pub' etc.
}}
 
{{Mr-arg-ro-table
|arg=import-host-key
|type=private-key-file
|desc=Import and replace private DSA/RSA key from specified file. Command takes one parameter:
* '''private-key-file''' - name of the private RSA/DSA key file
}}
 
{{Mr-arg-ro-table-end
|arg=regenerate-host-key
|type=
|desc=Generated new and replace current set of private keys (DSA, RSA) on the router. Be aware that previously imported keys might stop working.
}}
 
 
 
{{Note | When connecting from RouterOS built in client to router with strong crypto disabled, temporary strong crypto must be disabled on connecting router too. Reason is that strong crypto forces algorithms which are not supported when this feature is disabled. }}


==Example==
==Example==
To use this feature from Linux host using OpenSSH client this command can be used:
 
   ssh reamoteuser@remotehost -L port:remotehost:remoteport
'''Local forwarding'''
 
To use local forwarding from Linux host using OpenSSH client type in following command:
   ssh <remote_user>@<remote_host> -L <local_port>:<remote_host>:<remote_port>


where:
where:
*remoteuser - user of router
*remote_user - username on the router
*remotehost - router address (if host name is used in -L settings, router should be able to resolve this name)
*remote_host - routers address (router should be able to resolve host name if address is not an IP address)
*port - local port that your host will listen on
*local_port - local port that your host will listen on
*remoteport - port on the router
*remote_port - port on the router


If user requires telnet to router, but you do not want to allow it to be plain text, Following can be done:
For example, if user requires telnet to router, but you do not want to allow it to be plain text, Following can be done:


  ssh admin@192.168.88.1 -L 3000:192.168.88.1:23
  ssh admin@192.168.88.1 -L 3000:192.168.88.1:23
Line 53: Line 110:


{{Note|we fully support SFTP v3 as described in [http://tools.ietf.org/wg/secsh/draft-ietf-secsh-filexfer/draft-ietf-secsh-filexfer-02.txt draft-ietf-secsh-filexfer-02.txt] other versions can cause problems}}
{{Note|we fully support SFTP v3 as described in [http://tools.ietf.org/wg/secsh/draft-ietf-secsh-filexfer/draft-ietf-secsh-filexfer-02.txt draft-ietf-secsh-filexfer-02.txt] other versions can cause problems}}
'''Remote Forwarding '''
SSH from the client makes a tunnel that opens up a new port on the server (router), and connects it to a local port on the client,
  ssh <remote_user>@<remote_host> -R <remote_port>:localhost:<local_port>
where:
*remote_user - username on the router
*remote_host - routers address (router should be able to resolve host name if address is not an IP address)
*local_port - local port that your host will listen on
*remote_port - linked port on the router
For example, ssh opens port 9000 on the router to forward it to localhosts port 3000:
<pre>
ssh admin@192.168.88.1 -R 9000:localhost:3000
</pre>
'''Dynamic Forwarding '''
Dynamic forwarding turns SSH client into SOCKS proxy. On RouterOS dynamic forwarding can be controlled with the same settings as local forwarding.
Use of dynamic forwarding:
<pre>
ssh -N -D <local_port> -l <user> <remote_address>
</pre>
Where:
* local_port - local port that your host will listen on
* user - username on the router
* remote_address - routers address
For example:
<pre>
ssh admin@192.168.88.1 -N -v -D 9999
</pre>
Now you can use local port 9999 to fetch files:
<pre>
curl -x socks5h://localhost:9999 https://download.mikrotik.com/routeros/winbox/3.18/winbox.exe
</pre>
=See also=
*[[Using SSH for system backup]]
*[[Manual:System/SSH client]]


[[Category:Manual|T]] [[Category:IP|T]] [[Category:Console|S]]
[[Category:Manual|T]] [[Category:IP|T]] [[Category:Console|S]]

Latest revision as of 09:57, 29 April 2019

Summary

This menu controls if ssh server behaviour regarding port forward and authentication methods.

Settings

Property Description
allow-none-crypto (yes|no; Default: no) Whether to allow connection if cryptographic algorithms are set to none.
always-allow-password-login (yes | no; Default: no) Whether to allow password login at the same time when public key authorization is configured.
forwarding-enabled (both | local | no | remote; Default: no) Allows to control which SSH forwarding method to allow:
  • no - SSH forwarding is disabled;
  • local - Allow SSH clients to originate connections from the server(router), this setting controls also dynamic forwarding;
  • remote - Allow SSH clients to listen on the server(router) and forward incoming connections;
  • both - Allow both local and remote forwarding methods.
host-key-size (1024 | 1536 | 2048 | 4096 | 8192; Default: 2048) What RSA key size to use when host key is being regenerated.
strong-crypto (yes | no; Default: no) Use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones:
  • prefer 256 and 192 bit encryption instead of 128 bits;
  • disable null encryption;
  • prefer sha256 for hashing instead of sha1;
  • disable md5;
  • use 2048bit prime for Diffie Hellman exchange instead of 1024bit.

Commands

Property Description
export-host-key (key-file-prefix) Export public and private RSA/DSA keys to files. Command takes one parameter:
  • key-file-prefix - used prefix for generated files, for example, prefix 'my' will generate files 'my_rsa', 'my_rsa.pub' etc.
import-host-key (private-key-file) Import and replace private DSA/RSA key from specified file. Command takes one parameter:
  • private-key-file - name of the private RSA/DSA key file
regenerate-host-key () Generated new and replace current set of private keys (DSA, RSA) on the router. Be aware that previously imported keys might stop working.


Note: When connecting from RouterOS built in client to router with strong crypto disabled, temporary strong crypto must be disabled on connecting router too. Reason is that strong crypto forces algorithms which are not supported when this feature is disabled.


Example

Local forwarding

To use local forwarding from Linux host using OpenSSH client type in following command:

 ssh <remote_user>@<remote_host> -L <local_port>:<remote_host>:<remote_port>

where:

  • remote_user - username on the router
  • remote_host - routers address (router should be able to resolve host name if address is not an IP address)
  • local_port - local port that your host will listen on
  • remote_port - port on the router

For example, if user requires telnet to router, but you do not want to allow it to be plain text, Following can be done:

ssh admin@192.168.88.1 -L 3000:192.168.88.1:23

now when user uses telnet localhost 3000" it will log in the router using telnet over encrypted tcp connection.

Note: we fully support SFTP v3 as described in draft-ietf-secsh-filexfer-02.txt other versions can cause problems



Remote Forwarding

SSH from the client makes a tunnel that opens up a new port on the server (router), and connects it to a local port on the client,

  ssh <remote_user>@<remote_host> -R <remote_port>:localhost:<local_port>

where:

  • remote_user - username on the router
  • remote_host - routers address (router should be able to resolve host name if address is not an IP address)
  • local_port - local port that your host will listen on
  • remote_port - linked port on the router

For example, ssh opens port 9000 on the router to forward it to localhosts port 3000:

 ssh admin@192.168.88.1 -R 9000:localhost:3000

Dynamic Forwarding

Dynamic forwarding turns SSH client into SOCKS proxy. On RouterOS dynamic forwarding can be controlled with the same settings as local forwarding. Use of dynamic forwarding:

ssh -N -D <local_port> -l <user> <remote_address>

Where:

  • local_port - local port that your host will listen on
  • user - username on the router
  • remote_address - routers address

For example:

ssh admin@192.168.88.1 -N -v -D 9999

Now you can use local port 9999 to fetch files:

curl -x socks5h://localhost:9999 https://download.mikrotik.com/routeros/winbox/3.18/winbox.exe

See also