Difference between revisions of "Manual:IP/SSH"

From MikroTik Wiki
Jump to: navigation, search
(Settings: negerate import and export keys)
m (Settings)
Line 17: Line 17:
 
|style="border-bottom:1px solid gray;" valign="top"|controls ssh authentication methods, if set to yes, does not remove form allowed methods password_login
 
|style="border-bottom:1px solid gray;" valign="top"|controls ssh authentication methods, if set to yes, does not remove form allowed methods password_login
 
|-
 
|-
|style="border-bottom:1px solid gray;" valign="top"|'''export-host-key''' ''''
+
|style="border-bottom:1px solid gray;" valign="top"|'''export-host-key'''  
 
|style="border-bottom:1px solid gray;" valign="top"|exports router private key
 
|style="border-bottom:1px solid gray;" valign="top"|exports router private key
 
|-
 
|-
|style="border-bottom:1px solid gray;" valign="top"|'''import-host-key''' ''''
+
|style="border-bottom:1px solid gray;" valign="top"|'''import-host-key'''  
 
|style="border-bottom:1px solid gray;" valign="top"|imports user provided private key and replaces current host key
 
|style="border-bottom:1px solid gray;" valign="top"|imports user provided private key and replaces current host key
 
|-
 
|-
|style="border-bottom:1px solid gray;" valign="top"|'''regenerate-host-key''' ''''
+
|style="border-bottom:1px solid gray;" valign="top"|'''regenerate-host-key'''
 
|style="border-bottom:1px solid gray;" valign="top"|generated new set of private keys on the router and replaces current ones in use
 
|style="border-bottom:1px solid gray;" valign="top"|generated new set of private keys on the router and replaces current ones in use
 
|-
 
|-

Revision as of 16:50, 11 November 2015

Version.png

Applies to RouterOS: v5

Summary

This menu controls if ssh server behaviour regarding port forward and authentication methods.

Settings

Property Desciption
forwarding-enabled (no|yes default:no) controls ssh port forwarding
always-allow-password-login (no|yes default:no) controls ssh authentication methods, if set to yes, does not remove form allowed methods password_login
export-host-key exports router private key
import-host-key imports user provided private key and replaces current host key
regenerate-host-key generated new set of private keys on the router and replaces current ones in use
strong-crypto (no|yes default:no) Introduces following changes in ssh configuration:
  • prefer 256 and 192 bit encryption instead of 128 bits
  • disable null encryption
  • prefer sha256 for hashing instead of sha1
  • disable md5
  • use 2048bit prime for Diffie Hellman exchange instead of 1024bit

Example

To use this feature from Linux host using OpenSSH client this command can be used:

 ssh reamoteuser@remotehost -L port:remotehost:remoteport

where:

  • remoteuser - user of router
  • remotehost - router address (if host name is used in -L settings, router should be able to resolve this name)
  • port - local port that your host will listen on
  • remoteport - port on the router

If user requires telnet to router, but you do not want to allow it to be plain text, Following can be done:

ssh admin@192.168.88.1 -L 3000:192.168.88.1:23

now when user uses telnet localhost 3000" it will log in the router using telnet over encrypted tcp connection.

Icon-note.png

Note: we fully support SFTP v3 as described in draft-ietf-secsh-filexfer-02.txt other versions can cause problems