Manual:System/SSH client: Difference between revisions
(14 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
For this command to be available router has to have ''system'' and ''security'' packages installed. | For this command to be available router has to have ''system'' and ''security'' packages installed. | ||
== | ==SSH== | ||
<p id="shbox"><b>Sub-menu:</b> <code>/system ssh</code></p> | |||
====Simple log-in to remote host==== | ====Simple log-in to remote host==== | ||
It is able to connect to remote host and initiate ssh session. IP address supports both IPv4 and IPv6. | It is able to connect to remote host and initiate ssh session. IP address supports both IPv4 and IPv6. | ||
Line 26: | Line 26: | ||
in this case, ssh client will try to bind to address specified and then initiate ssh connection to remote host. | in this case, ssh client will try to bind to address specified and then initiate ssh connection to remote host. | ||
====Log-in using | ====Log-in using public/private key==== | ||
For this to work user has to set up public key on remote end where ssh will connect to. How to do that on RouterOS you can read [[Use_SSH_to_execute_commands_(DSA_key_login)|here]]. On local end router, public and private keys have to be uploaded to be used in ''/user ssh-keys private'' when adding private key and user name that will be able to use this key. | For this to work user has to set up a public key on the remote end where ssh will connect to. How to do that on RouterOS you can read [[Use_SSH_to_execute_commands_(DSA_key_login)|here]]. On local end router, public and private keys have to be uploaded to be used in ''/user ssh-keys private'' when adding private key and a user name that will be able to use this key. | ||
Example of importing private key for user ''lala'' | |||
/user ssh-keys private import user=lala private-key-file=id_rsa | |||
{{Warning | Only user with full rights on the router can change 'user' attribute value under ''/user ssh-keys private''}} | |||
====Executing remote commands==== | ====Executing remote commands==== | ||
Line 43: | Line 42: | ||
{{Warning | If server does not support pseudo-tty (ssh -T or ssh host command), like mikrotik ssh server, then it is not possible to send multiline commands via SSH}} | {{Warning | If the server does not support pseudo-tty (ssh -T or ssh host command), like mikrotik ssh server, then it is not possible to send multiline commands via SSH}} | ||
For example, sending command <code>"/ip address \n add address=1.1.1.1/24"</code> to MikroTik router will fail. | |||
{{Note | If you wish to execute remote commands via '''scripts''' or '''scheduler''', use command '''ssh-exec'''.}} | |||
==SSH-exec== | |||
<p id="shbox"><b>Sub-menu:</b> <code>/system ssh-exec</code></p> | |||
Command ssh-exec is a non-interactive ssh command, thus allowing to execute commands remotely on a device via scripts and scheduler. | |||
====Retrieve information==== | |||
The command will return two values: | |||
*) '''exit-code''': returns 0 if the command execution succeeded | |||
*) '''output''': returns the output of remotely executed command | |||
'''Example:''' | |||
Code below will retrieve interface status of ether1 from device 10.10.10.1 and output the result to "Log" | |||
:local Status ([/system ssh-exec address=10.10.10.1 user=remote command=":put ([/interface ethernet monitor [find where name=ether1] once as-value]->\"status\")" as-value]->"output") | |||
:log info $Status | |||
{{Note | For security reasons, plain text password input is not allowed. To ensure safe execution of the command remotely, use SSH key authentication for users on both sides. <br/> | |||
An example of how to configure RSA key pair authentication can be found in: https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login)}} | |||
{{Warning | the user group and script policy executing the command requires '''test''' permission}} | |||
{{cont}} | {{cont}} | ||
=See also= | |||
*[[Using SSH for system backup]] | |||
*[[Manual:IP/SSH]] | |||
*[[Use_SSH_to_execute_commands_(public/private_key_login)]] | |||
[[Category:Scripting]] | |||
[[Category:Manual|S]] [[Category:Console|S]] [[Category: System|S]] | [[Category:Manual|S]] [[Category:Console|S]] [[Category: System|S]] |
Latest revision as of 09:48, 18 June 2020
Overview
RouterOS provides SSH client that supports SSHv2 logins to SSH servers reachable from the router.
Requirements
For this command to be available router has to have system and security packages installed.
SSH
Sub-menu: /system ssh
Simple log-in to remote host
It is able to connect to remote host and initiate ssh session. IP address supports both IPv4 and IPv6.
/system ssh 192.168.88.1 /system ssh 2001:db8:add:1337::beef
In this case user name provided to remote host is one that has logged into the router. If other value is required, then user=<username> has to be used.
/system ssh 192.168.88.1 user=lala /system ssh 2001:db8:add:1337::beef user=lala
Log-in from certain IP address of the router
For testing or security reasons it may be required to log-in to other host using certain source address of the connection. In this case src-address=<ip address> argument has to be used. Note that IP address in this case supports both, IPv4 and IPv6.
/system ssh 192.168.88.1 src-address=192.168.89.2 /system ssh 2001:db8:add:1337::beef src-address=2001:db8:bad:1000::2
in this case, ssh client will try to bind to address specified and then initiate ssh connection to remote host.
Log-in using public/private key
For this to work user has to set up a public key on the remote end where ssh will connect to. How to do that on RouterOS you can read here. On local end router, public and private keys have to be uploaded to be used in /user ssh-keys private when adding private key and a user name that will be able to use this key.
Example of importing private key for user lala
/user ssh-keys private import user=lala private-key-file=id_rsa
Warning: Only user with full rights on the router can change 'user' attribute value under /user ssh-keys private
Executing remote commands
To execute remote command it has to be supplied at the end of log-in line
/system ssh 192.168.88.1 "/ip address print" /system ssh 192.168.88.1 command="/ip address print" /system ssh 2001:db8:add:1337::beef "/ip address print" /system ssh 2001:db8:add:1337::beef command="/ip address print"
Warning: If the server does not support pseudo-tty (ssh -T or ssh host command), like mikrotik ssh server, then it is not possible to send multiline commands via SSH
For example, sending command "/ip address \n add address=1.1.1.1/24"
to MikroTik router will fail.
Note: If you wish to execute remote commands via scripts or scheduler, use command ssh-exec.
SSH-exec
Sub-menu: /system ssh-exec
Command ssh-exec is a non-interactive ssh command, thus allowing to execute commands remotely on a device via scripts and scheduler.
Retrieve information
The command will return two values:
- ) exit-code: returns 0 if the command execution succeeded
- ) output: returns the output of remotely executed command
Example:
Code below will retrieve interface status of ether1 from device 10.10.10.1 and output the result to "Log"
:local Status ([/system ssh-exec address=10.10.10.1 user=remote command=":put ([/interface ethernet monitor [find where name=ether1] once as-value]->\"status\")" as-value]->"output") :log info $Status
Note: For security reasons, plain text password input is not allowed. To ensure safe execution of the command remotely, use SSH key authentication for users on both sides.
An example of how to configure RSA key pair authentication can be found in: https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login)
Warning: the user group and script policy executing the command requires test permission
[ Top | Back to Content ]