MikroTik Tutorial: RouterOS SSH Public Key Auth using RSA keys

MikroTik Tutorial: RouterOS SSH Public Key Auth using RSA keys

A Step-by-Step guide to configure SSH Public Key Authentication on a MikroTik router using an RSA keys

In RouterOS 6.31, MikroTik introduced support for RSA keys for authentication so I decided to give it a test. SSH Public Key Authentication on RouterOS using DSA keys has been supported for a long while. This MikroTik tutorial will guide you through the process of configuring authentication with RSA keys. This tutorial is really three articles in one, pick the one that fits your environment. SSH from a Linux host, Putty on Windows, or SecureCRT on Windows.

Ubuntu Generate an RSA key pair on ubuntu linux

Ubuntu Step 1: Run ssh-keygen

user@linux:~$ ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/osboxes/.ssh/id_rsa): 
Created directory '/home/osboxes/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/osboxes/.ssh/id_rsa.
Your public key has been saved in /home/osboxes/.ssh/id_rsa.pub.
The key fingerprint is:
8e:1e:a0:85:b9:1f:f4:80:a8:89:cd:a8:ae:99:db:48 osboxes@osboxes
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|                 |
| . +             |
|. + =   S        |
|o= = + o         |
|=E= . + .        |
|o= . o .         |
|Xo. . .          |

Ubuntu Step 2: Copy the public key to the MikroTik router

user@linux:~$ scp ~/.ssh/id_rsa.pub admin@ 
The authenticity of host ' (' can't be established.
RSA key fingerprint is aa:25:f6:25:12:f1:57:9b:97:1c:b6:af:dd:f2:97:e4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
admin@'s password: 
id_rsa.pub                                       100%  397     0.4KB/s   00:00

Next, skip down to Install the public key

Generate an RSA key pair using SecureCRT (Windows)

Important If you have already created a private/public key in the past using SecureCRT make sure you backup your keys or just use the existing key pair. You have been warned.

SecureCRT | Global Options | SSH2
Before you start, choose “Options | Global Options | SSH2” from the menu to see if you have already generated and configured a SSH key pair.

SecureCRT | Tools | Create Public Key...
Choose “Tools | Create Public Key…”

SecureCRT Create Key Dialog
Click “Next”

SecureCRT Choose between DSA and RSA key generation
Choose between DSA and RSA key generation, RSA for this tutorial.

SecureCRT For passwordless auth do not specify a passphrase
Leave Passphrase blank for true passwordless authentication

SecureCRT Use a key length of 2048
Use a key length of 2048

SecureCRT Key Generation Step
Click “Next” after the RSA key is generated

SecureCRT Choose where to save your key pair
Choose where to save your key pair, I created a folder in My Documents named “sshkeys”.

Next, skip down to Install the public key

PuTTY Generate SSH Key pair using PuTTY’s puttygen.exe (Windows)

Run puttygen.exe
Click “Start | Run” and launch “C:\Program Files (x86)\PuTTY\puttygen.exe”

Puttygen.exe Generate
Ensure that key type is “SSH-2 (RSA)” and key length is “2048”. Click “Generate”.

puttygen.exe save the generated public and private keys
Click “Save private key” and “Save public key” to save each. I saved them to My Documents\sshkeys and named the public key “puttykey.pub”.

Winbox Install the Public RSA key and associate it with a user

Winbox Step 1: Use winbox to verify that the file was copied to the router

Winbox Files List

Winbox Step 2a: Import the public key using Winbox

Import SSH public key using Winbox

Winbox Step 2b: Import the public key from the command line

[admin@MikroTik] > /user ssh-keys import public-key-file=mykey.pub user=admin

To verify…

[admin@MikroTik] > /user ssh-keys print  
Flags: R - RSA, D - DSA 
 #   USER                       BITS KEY-OWNER                                   
 0 R admin                      2048 admin@host 

Test your configuration by connecting with SSH

nbsp;ssh admin@ [admin@MikroTik] >

Look, no password prompt!


How to export router’s configuration using SSH

nbsp;ssh admin@ /export > myconfig.rsc user@linux:~
nbsp;head myconfig.rsc # sep/10/2015 10:46:44 by RouterOS 6.31 # software id = 0340-0M77 # /ip address add address= interface=ether1 network= /ip dhcp-client add dhcp-options=hostname,clientid interface=ether1 ...

Again, no password prompt!

How to create a binary backup and transfer using scp

user@linux:~$ ssh admin@ /system backup save name=myrouter.backup
Configuration backup saved

user@linux:~$ scp admin@ ./
myrouter.backup 100% 18KB 18.1KB/s 00:00 

user@linux:~$ ls -al myrouter.backup
-rw-r----- 1 osboxes osboxes 18573 Sep 11 04:35 myrouter.backup

Video Tutorials (Coming Soon)


NetScout LinkRunner G2

LinkRunner G2 is the ultimate network cable test tool

CAT5 Cable Tester, Measure Cable Length,
PoE Voltage, Network Connectivity, Switch Port ID
Optional Wireless & Fiber Optics Modules
Check Price on Amazon

One Reply to “MikroTik Tutorial: RouterOS SSH Public Key Auth using RSA keys”

  1. In above example is Linux scp to Mikrotik, run backup and copy backup file to local directory.
    Is that possible if Mikrotik scp its backup file into scp server in Linux. tq

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.