Difference between revisions of "Use SSH to execute commands (DSA key login)"

From MikroTik Wiki
Jump to: navigation, search
Line 1: Line 1:
 
==Configuration==
 
==Configuration==
  
Since RouterOS 2.9.13 support for SSH DSA keys and passing commands via ssh has been available. This allows you to run scripts from a remote machine against RouterOS without too much trouble anymore.
+
This will allow you to run scripts from a remote machine against RouterOS using Public/Private key authentication.
  
Example commands below are using FreeBSD - should be similar on other platforms.
+
===Host to RouterOS===
 +
Given example commands are run using FreeBSD - should be similar on other platforms.
  
 
'''1)''' Create a key using ssh-keygen
 
'''1)''' Create a key using ssh-keygen
Line 50: Line 51:
  
 
Now that you've created a key pair and imported the public key into RouterOS you can start running commands from your remote machine.
 
Now that you've created a key pair and imported the public key into RouterOS you can start running commands from your remote machine.
 +
 +
{{ Note | If you wish to be able to run '''ssh''' / '''ssh-exec''' commands from one RouterOS device to another, follow the additional steps below}}
 +
===RouterOS to RouterOS===
 +
 +
'''4)''' Create a new group with policies:
 +
/user group add name=remote policy=ssh,read,write
 +
 +
 +
'''5)''' Create a new user and assign the previously created group:
 +
  /user add name=remote group=remote
 +
 +
 +
'''6)''' Upload private and public keys on the device, from which you wish to use ssh commands with DSA authentication
 +
 +
 +
'''7)''' Import the both keys for the user:
 +
/user ssh-keys private import user=remote private-key-file=mykey public-key-file=mykey.pub passphrase=""
 +
 +
Now you should be able to authenticate from this device to any other device which has a user with the imported public key
 +
 +
{{Warning | Because the user has no password protection, do not allow it to be used in any other connection than '''SSH'''. Ensure that "/ip ssh set always-allow-password-login=no"}}
  
 
=Escaping shell special characters=
 
=Escaping shell special characters=
  
For executing simple command with ssh you have to enclose command with quotes to tell shell which characters belong to single shell command parameter. If you use double quotes than you have to escape all inside double quotes with backslash \.
+
For executing a simple command with ssh you have to enclose command with quotes to tell shell which characters belong to single shell command parameter. If you use double quotes then you have to escape all inside double quotes with backslash \.
 
<pre>%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 ":put \"hello\""</pre>
 
<pre>%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 ":put \"hello\""</pre>
  

Revision as of 10:51, 5 April 2019

Configuration

This will allow you to run scripts from a remote machine against RouterOS using Public/Private key authentication.

Host to RouterOS

Given example commands are run using FreeBSD - should be similar on other platforms.

1) Create a key using ssh-keygen

%ssh-keygen -t dsa

This creates a DSA key pair that is compatible with Mikrotik.

Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
f0:d0:xx:ee:07:xx:bb:a8:xx:9e:e1:fe:77:48:xx:xx user@vp6.example.com
Icon-note.png

Note: Make sure to leave the passphrase blank if you are going to be using this key in automated scripts. You do not want to be prompted for a password. Just make sure you keep your private key private (enough said?)!


2) Upload the generated key (public) to the target device:

Example: Upload key via FTP

%ftp 10.20.1.1
Connected to 10.20.1.1.
220 mikrotik FTP server (MikroTik 2.9.16) ready
Name (10.20.1.1:user): admin
331 Password required for admin
Password:

ftp> put id_dsa.pub
226 ASCII transfer complete

ftp> exit


3) Now from either Winbox or terminal mode you need to import the key. An example using terminal mode is given.

[admin@mikrotik]> user ssh-keys import file=id_dsa.pub 
user: admin-ssh

The user field above determines which user account will be logged in when you pass the key. For security reasons you should never use the 'admin' account (you knew that right?). Create a separate user account.

Now that you've created a key pair and imported the public key into RouterOS you can start running commands from your remote machine.

Icon-note.png

Note: If you wish to be able to run ssh / ssh-exec commands from one RouterOS device to another, follow the additional steps below


RouterOS to RouterOS

4) Create a new group with policies:

/user group add name=remote policy=ssh,read,write


5) Create a new user and assign the previously created group:

 /user add name=remote group=remote


6) Upload private and public keys on the device, from which you wish to use ssh commands with DSA authentication


7) Import the both keys for the user:

/user ssh-keys private import user=remote private-key-file=mykey public-key-file=mykey.pub passphrase=""

Now you should be able to authenticate from this device to any other device which has a user with the imported public key

Icon-warn.png

Warning: {{{1}}}


Escaping shell special characters

For executing a simple command with ssh you have to enclose command with quotes to tell shell which characters belong to single shell command parameter. If you use double quotes then you have to escape all inside double quotes with backslash \.

%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 ":put \"hello\""

Another special character which need escaping is single dollar sign $ because it's used for variable handling by shell like bash or sh.

%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 ":for i from=1 to=10 do={:put \$i}"

All other special characters evaluated by shell have to be escaped.

Examples

%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 "/system gps monitor"
  date-and-time: mar/18/2006 08:30:39
      longitude: "W 117 00' 00''"
       latitude: "N 33 0' 00''"
       altitude: "200.199997m"
          speed: "0.185200 km/h"
          valid: yes
%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 "/routing bgp peer print status"
Flags: X - disabled
 0   remote-address=xxx.xxx.129.196 remote-as=65333 multihop=yes
     in-filter=cymru-in out-filter=cymru-out route-reflect=no hold-time=3m
     ttl=60 tcp-md5-key="" remote-id=xxx.xxx.129.196 remote-hold-time=3h
     used-hold-time=3m used-keepalive-time=1m state=established
     uptime=1w1d10h54m55s prefix-count=68 refresh-capability=yes
%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 "/ip firewall connection print count-only"
66566

DSA deprecated

Since OpenSSH 7.0 version DSA public key algorithm is considered weak and is deprecated. To be able to use DSA it needs to be enabled explicitly. Put PubkeyAcceptedKeyTypes +ssh-dss to ~/.ssh/config file.

Also to be able to connect to older versions of RouterOS you may need to use additional ssh parameters -o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-dss


See also