Mikrotik SSH Public Key Authentification with modern OpenSSH Versions 8.2+ (now solved in ROS 7.4beta2)
#edit 07.06.2022 18:09#
Just wrote the post and Mikrotik has already acted, wow that's fast !RouterOS version 7.4beta2 has been released the "v7 testing" channel!
What's new in 7.4beta2 (2022-Jun-07 12:08)
*) ssh - disable ssh-rsa when strong-crypto=yes and use rsa-sha2-sha256;
Test successful! Thank you Mikrotik!
Hi folks.
It's been a while since the OpenSSH version 8.2 was released, but since then there are devices in the wild where the new OpenSSH versions require some adjustment to the algorithm when accessing such a devices, since ssh-rsa is disabled by default. I just wanted to remind you in this way if someone also stumbles over it. Had that already in the back of my mind, but sometimes you are so blind that you simply overlook it.
Mikrotik at the moment of writing this article, is also one of these devices. Meanwhile ist supports also rsa-ssh2 hostkeys, however with Public-Key Authentification this is not the case and it is limited to ssh-rsa, DSA was already switched off in version 7 which is good, however also the elliptic curve algos like ed25519, e.g are missing, unfortunately. In this respect, one is very limited concerning the algorithms. This should not be so tragic because the SSH ports are mostly only accessible internally, but it's not very nice.
The whole thing has already been mentioned in the Mikrotik forum.
OpenSSH future RSA host key deprecation
Well, for all of you who stumble upon this and are tearing their hair out why the public key auth from a modern Linux distro sent to a Mikrotik with the error message
sign_and_send_pubkey: no mutual signature supported
/etc/ssh/ssh_config
with the contentPubkeyAcceptedKeyTypes +ssh-rsa
~/.ssh/config
Host my.mikrotik.tld
PubkeyAcceptedKeyTypes +ssh-rsa
ssh -i /path/to/my.key -o 'PubkeyAcceptedKeyTypes=ssh-rsa' admin@my.mikrotik.tld
Hope this will be fixed soon by Mikrotik.
Kind Regards
@colinardo
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 3008416503
Url: https://administrator.de/contentid/3008416503
Ausgedruckt am: 18.12.2024 um 23:12 Uhr