DSA key login and command execution via SSH on RouterOS.........

DSA key login and command execution via SSH on RouterOS

Since RouterOS 2.9.13 the support for SSH DSA keys and command execution via ssh connection is available.
This allows admins to run commands and scripts from a remote machine on a RouterOS equipped one without inserting interactively a password to authenticate (Public/Private Key Authentication).

To use this facility, only three configuration steps are necessary.

First step is to create a key using ssh-keygen.
ssh-keygen -t dsa
To Login in the remote machine without being prompted for key PassPhrase, it is possible to:
1. Leave passphrase blank during creation.
2. Use OpenSSL Toolkit to remove PassPhrase.
3. Use a local SSH-Agent to manage Key Authentication & Forwarding (RECOMMENDED)

Second step is upload via FTP the id_dsa.pub Key (Public Key) into the RouterOS device.
ftp mk.lab.bravi.org
Connected to mk.lab.bravi.org.
220 mk.lab.bravi.org FTP server (MikroTik 4.17) ready
Name (mk.lab.bravi.org:admin): admin
331 Password required for admin
Password:
230 User admin logged in
Remote system type is UNIX.
ftp> put id_dsa.pub 
local: id_dsa.pub remote: id_dsa.pub
227 Entering Passive Mode (XXX,XXX,XXX,XXX,XXX,XX).
150 Opening ASCII mode data connection for '/id_dsa.pub'
100% |******| 613 8.23 MiB/s --:-- ETA226 ASCII transfer complete
613 bytes sent in 00:00 (76.83 KiB/s)
ftp> exit

Third and last step is import the key in RouterOS Terminal (also possible using Winbox Client).
/user ssh-keys import file=id_dsa.pub user=admin
The user field determines which user account will be authenticated when using the specific Key.

By authenticating with the Public/Private Key, the process of sending commands to devices will be drastically simplified, for example in my old RB500 used in LAB:
ssh admin@mk.lab.bravi.org "/system resource print"
The immediate reply will be:
                   uptime: 5d17h7m59s
                  version: "4.17"
              free-memory: 47960kB
             total-memory: 62440kB
                      cpu: "MIPS 4Kc V0.10"
                cpu-count: 1
            cpu-frequency: 399MHz
                 cpu-load: 4
           free-hdd-space: 85420kB
          total-hdd-space: 126976kB
  write-sect-since-reboot: 1263
         write-sect-total: 31632
               bad-blocks: 0.1%
        architecture-name: "mipsle"
               board-name: "RB532A"
                 platform: "MikroTik"
  • Share
Tags: 
This entry was posted on Wednesday, May 18th, 2011 at 11:24 PMand is filed under . You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments

Post a Comment

Popular posts from this blog

DMASOFTLAB RADIUS MANAGER BILLING SYSTEM v 4.1 Finally Released

Image
DMASOFTLAB RADIUS MANAGER BILLING SYSTEM v 4.1 Finally Released  Filed under: Radius Manager — Tags: dmasoftlab radius manager new version , radius manager 4.1 — Waseem Anjum Meo @ 10:47 AM             5 Votes Finally DMA has released its new version for Radius Manager Billing System. Complete info can be found here. http://www.dmasoftlab.com/cont/revision   *** v 4.1.0 *** 2013-10-23 *** NEW FEATURES: ↓ -enhanced SMTP mailer with authentication and freely configurable port -SMS alert indicating the account is going to expire ** This was most DEMANDED   , Jz -support for BulkSMS HTTP->SMS gateway ** This was most DEMANDED   , Jz -alert type is selectable in user preferences (ACP / UCP) ** This was most DEMANDED   , Jz -enable traffic report per user in ACP even if global traffic report is disabled -service change is allowed for Hotspot MAC accounts -auto logout expired ACP sessions -FreeRadius 2.2.0 support -DOCSIS u
Read more

How To Configure Nano Station M2 As Access point

Image
Web Configuration Now that the hardware has been completely installed, it's time to configure the Bullet to act as a WiFi Access Point. Configuration is performed using your web browser by typing in  https://192.168.1.20 . You'll get a warning pop up stating that the device has presented an invalid SSL certificate due to the certificate being self-signed and not issued by a CA. This is normal so just hit accept/continue. You'll then need to log in with the default username and password of "ubnt". Configure the Wireless tab The first step is to configure the Wireless tab so the Bullet acts as a WiFi Access Point. Change the settings according to the below picture. Be sure to set the device up with WPA2 security and an appropriate WiFi password here. You can also use this tab to adjust the power output should you wish to cover a smaller area. The default channel bandwidth is 40MHz, but some older devices such as wireless printers and mobile phones cannot o
Read more