Restoring ssh password logins in RouterOS

Yeah, I’m that far in now. Decided it would be nice to be able to authenticate to my new Mikrotik router with a certificate so I could do things like automated backups of the configuration. Ugh.

The RouterOS documentation is really a mess, and none of the commercially printed books, forums or varied bloggers are much better. It’s basically Red Hat before they buckled down and hired some professional documentation authors to straighten out the morass and fill in the blanks (a lot of the documentation for the last few versions of RHEL list the lead engineers over the particular subject area as authors, but it’s clear that there are professional writers in the editor’s chair).

The instructions for importing a public key into a particular user’s account (in my case the admin user), make it look easy: except they don’t work either at the command line or in the web console (WebFig). My guess is there’s some secret sauce in WinBox that they just didn’t decide was worth actually getting to work properly over either ssh or in WebFig.

Anyway, I finally was able to get the DSA (yes, that’s right DSA — because apparently the Mikrotik developer responsible for this subsystem somehow missed the news that DSA was declared insecure awhile ago) public key I created on FreeBSD imported by repeatedly clicking on import.

Of course I had to refresh the web interface a few times to get it to acknowledge the change (OK, I actually logged out and back in again after a couple of refreshes failed), but then I discovered that I couldn’t log in as admin over ssh using a password — which is damned inconvenient for living room chair router administration. Having been in the IT game for a couple of decades I guessed that Mikrotik had made the leap of faith in their system design that importing a public key into admin’s keystore automatically meant you no longer wanted password logins. I was right, of course.

[admin@ros] > /ip ssh print
            forwarding-enabled: no
   always-allow-password-login: no

Well, f* me.

Fixing the problem was a bit difficult since no one on the Internet, including Mikrotik’s own wiki-as-product-documentation made no mention of it. As it turned out I had to screw around for awhile to determine the command and syntax to turn it back on.

Here is it boys and girls:

[admin@ros] > /ip ssh
[admin@ros] > set always-allow-password-login=yes

To confirm:

[admin@ros] > /ip ssh print
            forwarding-enabled: no
   always-allow-password-login: yes

For my next trick I’m going to make a note never never to back out of a change in RouterOS without first doing an export, and to add to my growing list of RouterOS projects finding some way to back up the damned files folder.

This entry was posted in System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).