Mikrotik SSH Public Key Authentification with modern OpenSSH Versions 8.2+ (now solved in ROS 7.4beta2)
Jun 07, 2022, updated at Jun 08, 2022 at 05:25:31 (UTC)
RouterOS version 7.4beta2 has been released the "v7 testing" channel!
What's new in 7.4beta2 (2022-Jun-07 12:08)
*) ssh -
Test successful! Thank you Mikrotik!
It's been a while since the OpenSSH version 8.2 was released, but since then there are devices in the wild where the new OpenSSH versions require some adjustment to the algorithm when accessing such a devices, since ssh-rsa is disabled by default. I just wanted to remind you in this way if someone also stumbles over it. Had that already in the back of my mind, but sometimes you are so blind that you simply overlook it.
Mikrotik at the moment of writing this article, is also one of these devices. Meanwhile ist supports also rsa-ssh2 hostkeys, however with Public-Key Authentification this is not the case and it is limited to ssh-rsa, DSA was already switched off in version 7 which is good, however also the elliptic curve algos like ed25519, e.g are missing, unfortunately. In this respect, one is very limited concerning the algorithms. This should not be so tragic because the SSH ports are mostly only accessible internally, but it's not very nice.
The whole thing has already been mentioned in the Mikrotik forum.
OpenSSH future RSA host key deprecation
Well, for all of you who stumble upon this and are tearing their hair out why the public key auth from a modern Linux distro sent to a Mikrotik with the error message
is terminated, should be advised to activate ssh-rsa for the connection. Either by editing the ssh client config file in /etc/ssh/ssh_config with the content
sign_and_send_pubkey: no mutual signature supported
or by specifing this only for the specifc device in ~/.ssh/config
or by setting the option directly on the command line:
ssh -i /path/to/my.key -o 'PubkeyAcceptedKeyTypes=ssh-rsa' firstname.lastname@example.org
Hope this will be fixed soon by Mikrotik.
Please also mark the comments that contributed to the solution of the article
Printed on: August 7, 2022 at 07:08 o'clock