Use SSH to execute commands (public/private key login)

From MikroTik Wiki
Revision as of 10:51, 29 October 2007 by Normis (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Since RouterOS 2.9.13 support for SSH DSA keys and passing commands via ssh has been available. This allows you to run scripts from a remote machine against RouterOS without too much trouble anymore.

Example commands below are using FreeBSD - should be similiar on other platforms.

You first need to create a key using ssh-keygen. 

%ssh-keygen -t dsa

This creates a DSA key pair that is compatible with Mikrotik. 

Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
f0:d0:xx:ee:07:xx:bb:a8:xx:9e:e1:fe:77:48:xx:xx user@vp6.example.com

Make sure to leave the passphrase blank if you are going to be using this key in automated scripts. You do not want to be prompted for a password. Just make sure you keep your private key private (enough said?)!

Now you can ftp your id_dsa key to mikrotik to prepare for import. 

%ftp 10.20.1.1
Connected to 10.20.1.1.
220 mikrotik FTP server (MikroTik 2.9.16) ready
Name (10.20.1.1:user): admin
331 Password required for admin
Password:

ftp> put id_dsa.pub
226 ASCII transfer complete

ftp> exit

This uploads your public key to the router. Do not upload your private key, it is private.

Now from either Winbox or terminal mode you need to import the key. An example using terminal mode is given. 

[admin@mikrotik]> user ssh-keys import file=id_dsa.pub 
user: admin-ssh

The user field above determines which user account will be logged in when you pass the key. For security reasons you should never use the 'admin' account (you knew that right?). Create a separate user account.

Now that you've created a key pair and imported the public key into RouterOS you can start running commands from your remote machine.

Some examples are below: 

%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 "/system gps monitor"
  date-and-time: mar/18/2006 08:30:39
      longitude: "W 117 00' 00''"
       latitude: "N 33 0' 00''"
       altitude: "200.199997m"
          speed: "0.185200 km/h"
          valid: yes

or

%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 "/routing bgp peer print status"
Flags: X - disabled
 0   remote-address=xxx.xxx.129.196 remote-as=65333 multihop=yes
     in-filter=cymru-in out-filter=cymru-out route-reflect=no hold-time=3m
     ttl=60 tcp-md5-key="" remote-id=xxx.xxx.129.196 remote-hold-time=3h
     used-hold-time=3m used-keepalive-time=1m state=established
     uptime=1w1d10h54m55s prefix-count=68 refresh-capability=yes

or

%ssh -l admin-ssh -i /home/user/.ssh/id_dsa 10.20.1.1 "/ip firewall connection print count-only"
6656
Retrieved from "https://wiki.mikrotik.com/index.php?title=Use_SSH_to_execute_commands_(public/private_key_login)&oldid=5830"