Manual:IP/SSH

From MikroTik Wiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Version.png

Applies to RouterOS: v5

Summary

This menu controls if ssh server behaviour regarding port forward and authentication methods.

Settings

Property Desciption
forwarding-enabled (no|yes default:no) controls ssh port forwarding
always-allow-password-login (no|yes default:no) controls ssh authentication methods, if set to yes, does not remove form allowed methods password_login
export-host-key exports router private RSA and DSA key
import-host-key replace DSA or RSA with key provided for import. Be aware that previously imported ssh keys might stop working after key change.
regenerate-host-key generated new set of private keys (DSA and RSA) on the router and replaces current ones in use. Be aware that previously imported ssh keys might stop working after key change.
strong-crypto (no|yes default:no) Introduces following changes in ssh configuration:
  • prefer 256 and 192 bit encryption instead of 128 bits
  • disable null encryption
  • prefer sha256 for hashing instead of sha1
  • disable md5
  • use 2048bit prime for Diffie Hellman exchange instead of 1024bit


Icon-note.png

Note: When connecting from RouterOS built in client to router with strong crypto disabled, temporary strong crypto must be disabled on connecting router too. Reason is that strong crypto forces algorithms which are not supported when this feature is disabled.


Example

To use forwarding-enabled feature from Linux host using OpenSSH client this command can be used:

 ssh reamoteuser@remotehost -L port:remotehost:remoteport

where:

  • remoteuser - user of router
  • remotehost - router address (if host name is used in -L settings, router should be able to resolve this name)
  • port - local port that your host will listen on
  • remoteport - port on the router

If user requires telnet to router, but you do not want to allow it to be plain text, Following can be done:

ssh admin@192.168.88.1 -L 3000:192.168.88.1:23

now when user uses telnet localhost 3000" it will log in the router using telnet over encrypted tcp connection.

Icon-note.png

Note: we fully support SFTP v3 as described in draft-ietf-secsh-filexfer-02.txt other versions can cause problems