FYI: OpenSSH to access RBs - OpenSSH 7+

spin · June 26, 2016, 5:06pm

The newest version of OpenSSH 7+ has two incompatibilities with Mikrotik default SSH settings. This is the version on Ubuntu 16.04 that has this issue:

spin@heisenberg:~⟫ ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips  1 Mar 2016

It doesn’t seem as if this version is on 14.04. Not sure about other versions of Ubuntu.

Issue 1 - It no longer supports ssh-dss type keys.

This is how it looks:

spin@heisenberg:~⟫ ssh rb1.saturn.ctwug.za.net
Unable to negotiate with 172.18.65.254 port 22: no matching host key type found. Their offer: ssh-dss

To fix this you need to add the -oHostKeyAlgorithms=+ssh-dss option.

Issue 2 - The minimum Diffie-Hellman key size for group exchange has been raised

This is what that looks like:

spin@heisenberg:~⟫ ssh -oHostKeyAlgorithms=+ssh-dss rb1.saturn.ctwug.za.net
ssh_dispatch_run_fatal: Connection to 172.18.65.254 port 22: DH GEX group out of range

To fix that you need to add another option:

oKexAlgorithms=diffie-hellman-group1-sha1

Then you end up with:

spin@heisenberg:~⟫ ssh -oHostKeyAlgorithms=+ssh-dss -oKexAlgorithms=diffie-hellman-group1-sha1 rb1.saturn.ctwug.za.net
spin@rb1.saturn.ctwug.za.net's password: 








  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.15 (c) 1999-2014       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
  
[spin@Saturn-Main] >

Possible improvement to Mikrotik configs to avoid this:

We should probably enable strong crypto as part of WMS on all WMS managed rbs:

/ip ssh set strong-crypto=yes

I will do this if nobody has any objections. This is only available from ROS 6.31 onwards.

Mikrotik post on this topic.
Also see OpenSSH legacy options.

spin · June 26, 2016, 5:42pm

You could also add the following to your ssh config file

Usually at ~/.ssh/config

Host *.ctwug.za.net 172.18.* 172.26.*
        HostKeyAlgorithms +ssh-dss
        KexAlgorithms diffie-hellman-group1-sha1

This may cause issues with other hosts on those hostnames and/or ips. Especially the KexAlgorithms line. + Does not seem to work for KexAlgorithms.