A Step-by-Step guide to configure SSH Public Key Authentication on a MikroTik router using an RSA keys
In RouterOS 6.31, MikroTik introduced support for RSA keys for authentication so I decided to give it a test. SSH Public Key Authentication on RouterOS using DSA keys has been supported for a long while. This MikroTik tutorial will guide you through the process of configuring authentication with RSA keys. This tutorial is really three articles in one, pick the one that fits your environment. SSH from a Linux host, Putty on Windows, or SecureCRT on Windows.
![Ubuntu]()
Generate an RSA key pair on ubuntu linux
Generate an RSA key pair on ubuntu linux![Ubuntu]()
Step 1: Run ssh-keygen
user@linux:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/osboxes/.ssh/id_rsa): Created directory '/home/osboxes/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/osboxes/.ssh/id_rsa. Your public key has been saved in /home/osboxes/.ssh/id_rsa.pub. The key fingerprint is: 8e:1e:a0:85:b9:1f:f4:80:a8:89:cd:a8:ae:99:db:48 osboxes@osboxes The key's randomart image is: +---[RSA 2048]----+ | | | | | | | . + | |. + = S | |o= = + o | |=E= . + . | |o= . o . | |Xo. . . | +-----------------+
![Ubuntu]()
Step 2: Copy the public key to the MikroTik router
user@linux:~$ scp ~/.ssh/id_rsa.pub admin@192.168.1.99:mykey.pub The authenticity of host '192.168.1.99 (192.168.1.99)' can't be established. RSA key fingerprint is aa:25:f6:25:12:f1:57:9b:97:1c:b6:af:dd:f2:97:e4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.99' (RSA) to the list of known hosts. admin@192.168.1.99's password: id_rsa.pub 100% 397 0.4KB/s 00:00
Next, skip down to Install the public key
![]()
Generate an RSA key pair using SecureCRT (Windows)
Generate an RSA key pair using SecureCRT (Windows)Important If you have already created a private/public key in the past using SecureCRT make sure you backup your keys or just use the existing key pair. You have been warned.
Next, skip down to Install the public key
![PuTTY]()
Generate SSH Key pair using PuTTY’s puttygen.exe (Windows)
Generate SSH Key pair using PuTTY’s puttygen.exe (Windows)
![Winbox]()
Install the Public RSA key and associate it with a user
Install the Public RSA key and associate it with a user![Winbox]()
Step 1: Use winbox to verify that the file was copied to the router
![Winbox]()
Step 2a: Import the public key using Winbox
![Winbox]()
Step 2b: Import the public key from the command line
[admin@MikroTik] > /user ssh-keys import public-key-file=mykey.pub user=admin
To verify…
[admin@MikroTik] > /user ssh-keys print
Flags: R - RSA, D - DSA
# USER BITS KEY-OWNER
0 R admin 2048 admin@hostTest your configuration by connecting with SSH
user@linux:~$ ssh admin@192.168.1.99 [admin@MikroTik] >
Look, no password prompt!
How to export router’s configuration using SSH
user@linux:~$ ssh admin@192.168.1.99 /export > myconfig.rsc user@linux:~$ head myconfig.rsc # sep/10/2015 10:46:44 by RouterOS 6.31 # software id = 0340-0M77 # /ip address add address=192.168.1.99/24 interface=ether1 network=192.168.1.0 /ip dhcp-client add dhcp-options=hostname,clientid interface=ether1 ...
Again, no password prompt!
How to create a binary backup and transfer using scp
user@linux:~$ ssh admin@192.168.1.99 /system backup save name=myrouter.backup Configuration backup saved user@linux:~$ scp admin@192.168.1.99:/myrouter.backup ./ myrouter.backup 100% 18KB 18.1KB/s 00:00 user@linux:~$ ls -al myrouter.backup -rw-r----- 1 osboxes osboxes 18573 Sep 11 04:35 myrouter.backup
Video Tutorials (Coming Soon)
References
- robert.penz.name/…via-ssh-public-key-authentication/
- wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login)
- chiark.greenend.org.uk/~sgtatham/putty/download.html
- vandyke.com/products/securecrt/
The post MikroTik Tutorial: RouterOS SSH Public Key Auth using RSA keys appeared first on jcutrer.com.