The newest version of OpenSSH 7+ has two incompatibilities with Mikrotik default SSH settings. This is the version on Ubuntu 16.04 that has this issue:
spin@heisenberg:~⟫ ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips 1 Mar 2016
It doesn't seem as if this version is on 14.04. Not sure about other versions of Ubuntu.
Issue 1 - It no longer supports ssh-dss type keys.
This is how it looks:
spin@heisenberg:~⟫ ssh rb1.saturn.ctwug.za.net
Unable to negotiate with 172.18.65.254 port 22: no matching host key type found. Their offer: ssh-dss
To fix this you need to add the
Issue 2 - The minimum Diffie-Hellman key size for group exchange has been raised
spin@heisenberg:~⟫ ssh -oHostKeyAlgorithms=+ssh-dss rb1.saturn.ctwug.za.net
ssh_dispatch_run_fatal: Connection to 172.18.65.254 port 22: DH GEX group out of range
To fix that you need to add another option:
Then you end up with:
spin@heisenberg:~⟫ ssh -oHostKeyAlgorithms=+ssh-dss -oKexAlgorithms=diffie-hellman-group1-sha1 rb1.saturn.ctwug.za.net
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 6.15 (c) 1999-2014 http://www.mikrotik.com/
[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments
[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command Use command at the base level
Possible improvement to Mikrotik configs to avoid this:
We should probably enable strong crypto as part of WMS on all WMS managed rbs:
/ip ssh set strong-crypto=yes
I will do this if nobody has any objections. This is only available from ROS 6.31 onwards.
Mikrotik post on this topic.
Also see OpenSSH legacy options.