A Step-by-Step guide to configure SSH Public Key Authentication on a MikroTik router using an RSA keys
In
RouterOS 6.31, MikroTik introduced support for RSA keys for
authentication so I decided to give it a test. SSH Public Key
Authentication on RouterOS using DSA keys has been supported for a long
while. This MikroTik tutorial will guide you through the process of
configuring authentication with RSA keys. This tutorial is really three
articles in one, pick the one that fits your environment.
SSH from a Linux host,
Putty on Windows, or
SecureCRT on Windows.
Generate an RSA key pair on ubuntu linux
Step 1: Run ssh-keygen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
user@linux:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/osboxes/.ssh/id_rsa):
Created directory '/home/osboxes/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/osboxes/.ssh/id_rsa.
Your public key has been saved in /home/osboxes/.ssh/id_rsa.pub.
The key fingerprint is:
8e:1e:a0:85:b9:1f:f4:80:a8:89:cd:a8:ae:99:db:48 osboxes@osboxes
The key's randomart image is:
+---[RSA 2048]----+
| |
| |
| |
| . + |
|. + = S |
|o= = + o |
|=E= . + . |
|o= . o . |
|Xo. . . |
+-----------------+
|
Step 2: Copy the public key to the MikroTik router
|
user@linux:~$ scp ~/.ssh/id_rsa.pub admin@192.168.1.99:mykey.pub
The authenticity of host '192.168.1.99 (192.168.1.99)' can't be established.
RSA key fingerprint is aa:25:f6:25:12:f1:57:9b:97:1c:b6:af:dd:f2:97:e4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.99' (RSA) to the list of known hosts.
admin@192.168.1.99's password:
id_rsa.pub 100% 397 0.4KB/s 00:00
|
Next,
skip down to Install the public key
Generate an RSA key pair using SecureCRT (Windows)
Important
If you have already created a private/public key in the past using
SecureCRT make sure you backup your keys or just use the existing key
pair. You have been warned.
Before
you start, choose “Options | Global Options | SSH2” from the menu to
see if you have already generated and configured a SSH key pair.
Choose “Tools | Create Public Key…”
Click “Next”
Choose between DSA and RSA key generation, RSA for this tutorial.
Leave Passphrase blank for true passwordless authentication
Use a key length of 2048
Click “Next” after the RSA key is generated
Choose where to save your key pair, I created a folder in My Documents named “sshkeys”.
Next,
skip down to Install the public key
Generate SSH Key pair using PuTTY’s puttygen.exe (Windows)
Click “Start | Run” and launch “C:\Program Files (x86)\PuTTY\puttygen.exe”
Ensure that key type is “SSH-2 (RSA)” and key length is “2048”. Click “Generate”.
Click
“Save private key” and “Save public key” to save each. I saved them to
My Documents\sshkeys and named the public key “puttykey.pub”.
Install the Public RSA key and associate it with a user
Step 1: Use winbox to verify that the file was copied to the router
Step 2a: Import the public key using Winbox
Step 2b: Import the public key from the command line
|
[admin@MikroTik] > /user ssh-keys import public-key-file=mykey.pub user=admin
|
To verify…
|
[admin@MikroTik] > /user ssh-keys print
Flags: R - RSA, D - DSA
# USER BITS KEY-OWNER
0 R admin 2048 admin@host
|
Test your configuration by connecting with SSH
|
user@linux:~$ ssh admin@192.168.1.99
[admin@MikroTik] >
|
Look, no password prompt!
How to export router’s configuration using SSH
1
2
3
4
5
6
7
8
9
10
11
12
|
user@linux:~$ ssh admin@192.168.1.99 /export > myconfig.rsc
user@linux:~$ head myconfig.rsc
# sep/10/2015 10:46:44 by RouterOS 6.31
# software id = 0340-0M77
#
/ip address
add address=192.168.1.99/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
...
|
Again, no password prompt!
How to create a binary backup and transfer using scp
|
user@linux:~$ ssh admin@192.168.1.99 /system backup save name=myrouter.backup
Configuration backup saved
user@linux:~$ scp admin@192.168.1.99:/myrouter.backup ./
myrouter.backup 100% 18KB 18.1KB/s 00:00
user@linux:~$ ls -al myrouter.backup
-rw-r----- 1 osboxes osboxes 18573 Sep 11 04:35 myrouter.backup
|
fonte: http://jcutrer.com/howto/networking/mikrotik/routeros-ssh-publickeyauth-rsa-keys
0 comentários:
Postar um comentário