colinardo
Goto Top

Mikrotik SSH Public Key Authentification with modern OpenSSH Versions 8.2+ (now solved in ROS 7.4beta2)

back-to-top#edit 07.06.2022 18:09#
Just wrote the post and Mikrotik has already acted, wow that's fast face-smile!
RouterOS version 7.4beta2 has been released the "v7 testing" channel!

What's new in 7.4beta2 (2022-Jun-07 12:08)
*) ssh - disable ssh-rsa when strong-crypto=yes and use rsa-sha2-sha256;

Test successful! Thank you Mikrotik!


Hi folks.

It's been a while since the OpenSSH version 8.2 was released, but since then there are devices in the wild where the new OpenSSH versions require some adjustment to the algorithm when accessing such a devices, since ssh-rsa is disabled by default. I just wanted to remind you in this way if someone also stumbles over it. Had that already in the back of my mind, but sometimes you are so blind that you simply overlook it.

Mikrotik at the moment of writing this article, is also one of these devices. Meanwhile ist supports also rsa-ssh2 hostkeys, however with Public-Key Authentification this is not the case and it is limited to ssh-rsa, DSA was already switched off in version 7 which is good, however also the elliptic curve algos like ed25519, e.g are missing, unfortunately. In this respect, one is very limited concerning the algorithms. This should not be so tragic because the SSH ports are mostly only accessible internally, but it's not very nice.

The whole thing has already been mentioned in the Mikrotik forum.
OpenSSH future RSA host key deprecation

Well, for all of you who stumble upon this and are tearing their hair out why the public key auth from a modern Linux distro sent to a Mikrotik with the error message
sign_and_send_pubkey: no mutual signature supported
is terminated, should be advised to activate ssh-rsa for the connection. Either by editing the ssh client config file in /etc/ssh/ssh_config with the content
PubkeyAcceptedKeyTypes +ssh-rsa
or by specifing this only for the specifc device in ~/.ssh/config
Host my.mikrotik.tld
	PubkeyAcceptedKeyTypes +ssh-rsa
or by setting the option directly on the command line:
ssh -i /path/to/my.key -o 'PubkeyAcceptedKeyTypes=ssh-rsa' admin@my.mikrotik.tld  

Hope this will be fixed soon by Mikrotik.

Kind Regards
@colinardo

Content-Key: 3008416503

Url: https://administrator.de/contentid/3008416503

Ausgedruckt am: 29.03.2024 um 12:03 Uhr