Skip to main content
Version: current

SSH

SSH Server

RouterOS has a built-in SSH (SSH v2) server that is enabled by default and is listening for incoming connections on port TCP/22. It is possible to change the port and disable the server under the Services menu.

Properties

Sub-menu: /ip/ssh

PropertyDescription
password-authentication (yes-if-no-key | yes | no; Default: yes-if-no-key)Whether to allow password login at the same time when public key authorization is configured for a user.
ciphers (3des-cbc | aes-cbc | aes-ctr | aes-gcm | auto | null; Default: auto)Allows configuration of SSH ciphers.
forwarding-enabled (both | local | no | remote; Default: no)Allows control of which SSH forwarding method to allow:
  • no - SSH forwarding is disabled;
  • local - Allows SSH clients to originate connections from the server(router), this setting controls also dynamic forwarding;
  • remote - Allows SSH clients to listen on the server(router) and forward incoming connections;
  • both - Allows both local and remote forwarding methods.
host-key-size (1024 | 1536 | 2048 | 4096 | 8192; Default: 2048)RSA key size when host key is being regenerated.
host-key-type (ed25519 | rsa; Default: rsa)Select host key type
publickey-authentication-options (none | touch-required | verify-required; Default: none)Sets public key authentication options.
The touch-required option causes public key authentication using a FIDO authenticator algorithm to always require the signature to attest that a physically present user explicitly confirmed the authentication (usually by touching the authenticator).
The verify-required option requires a FIDO key signature to attest that the user was verified, e.g. via a PIN.
strong-crypto (yes | no; Default: no)Use stronger encryption, HMAC algorithms, use bigger DH primes and disallow weaker ones:
  • use 256 and 192 bit encryption instead of 128 bits;
  • disable null encryption;
  • use sha256 for hashing instead of sha1;
  • disable md5;
  • use 2048bit prime for Diffie-Hellman exchange instead of 1024bit.

Commands

export-host-key (key-file-prefix)

Export public and private RSA/Ed25519 to files. Command takes two parameters:

  • key-file-prefix - used prefix for generated files, for example, prefix 'my' will generate files 'my_rsa', 'my_rsa.pub' etc.
  • passphrase - private key passphrase sensitive
info

Host keys are exported in PKCS#8 format.

Warning: Exporting the SSH host key requires "sensitive" user policy.

import-host-key (private-key-file)

Import and replace private RSA/Ed25519 key from specified file. Command takes two parameters:

  • private-key-file - name of the private RSA/Ed25519 key file
  • passphrase - private key passphrase sensitive
info

Private key is supported in PEM or PKCS#8 format.

regenerate-host-key ()

Generate new and replace the current set of private keys (RSA/Ed25519) on the router. Be aware that previously imported keys might stop working.

Enabling PKI authentication

Example of importing a public key for user admin

Get SSH key pair on the client device (the device you will connect from). Upload the public SSH key to the router and import it.

More information about supported SSH keys can be found in User SSH keys section.

/user/ssh-keys/import public-key-file=id_rsa.pub user=admin

SSH key pair generation

RouterOS does not support direct SSH key generation, which is available on Linux systems.

To obtain SSH key pair (SSH key pair is automatically generated on the first SSH connectione), the device's SSH host key must be exported.

SSH Client

Sub-menu: /system/ssh

Simple log-in to remote host

It is able to connect to a remote host and initiate an ssh session. The IP address supports both IPv4 and IPv6.

/system/ssh 192.168.88.1
/system/ssh 2001:db8:add:1337::beef

In this case the user name provided to the remote host is one that has logged into the router. If another value is required, then user=<username> has to be used.

/system/ssh 192.168.88.1 user=lala
/system/ssh 2001:db8:add:1337::beef user=lala

Log-in from certain IP address of the router

For testing or security reasons it may be required to log in to another host using a certain source address of the connection. In this case src-address=<ip address> argument has to be used. Note that IP address in this case supports both IPv4 and IPv6.

/system/ssh 192.168.88.1 src-address=192.168.89.2
/system/ssh 2001:db8:add:1337::beef src-address=2001:db8:bad:1000::2

In this case, the ssh client will try to bind to the address specified and then initiate an ssh connection to the remote host.

Log-in using SSH key

Example of importing an RSA private key for user admin.

First, export currently generated SSH keys to a file:

/ip/ssh/export-host-key key-file-prefix=admin

Two files admin_rsa and admin_rsa.pub will be generated. The pub file needs to be trusted on the SSH server side (how to enable SSH PKI on RouterOS. The private key has to be added for the particular user.

/user/ssh-keys/private/import user=admin private-key-file=admin_rsa
danger

Only a user with full rights on the router can change the 'user' attribute value under /user/ssh-keys/private

After the public key is installed and trusted on the SSH server, a PKI SSH session can be created.

/system/ssh 192.168.1.1

Watch how to:

Log in with an RSA key.

Log in with Ed25519.

Executing remote commands

To execute a remote command it has to be supplied at the end of the log-in line

/system/ssh 192.168.88.1 "/ip/address/print"
/system/ssh 192.168.88.1 command="/ip/address/print"
/system/ssh 2001:db8:add:1337::beef "/ip/address/print"
/system/ssh 2001:db8:add:1337::beef command="/ip/address/print"
danger

If the server does not support pseudo-tty (ssh -T or ssh host command), like MikroTik ssh server, then it is not possible to send multiline commands via SSH

For example, sending a command "/ip/address \n add address=1.1.1.1/24" to a MikroTik router will fail.

warning

If you wish to execute remote commands via scripts or scheduler, use the command ssh-exec.

SSH exec

Sub-menu: /system/ssh-exec

Command ssh-exec is a non-interactive ssh command, thus allowing to execute commands remotely on a device via scripts and scheduler.

Retrieve information

The command will return two values:

  • exit-code: returns 0 if the command execution succeeded
  • output: returns the output of the remotely executed command

Example: The Code below will retrieve the interface status of ether1 from device 10.10.10.1 and output the result to "Log"

:local Status ([/system/ssh-exec address=10.10.10.1 user=remote command=":put ([/interface/ethernet/monitor [find where name=ether1] once as-value]->\"status\")" as-value]->"output")
:log info $Status
warning

For security reasons you should not use a plain text password with parameter "password" specified in the command line. To ensure safe execution of the command remotely, it is strongly recommended to use SSH PKI authentication for users on both sides.

Caution: The user group and script policy executing the command require test permission

Watch how to execute commands through SSH.