Use Private Key Ssh

 admin



  • 1Configuration

The SSHPRIVATEKEY is passed when issuing the build command with -build-arg or in the build block of your docker-compose.yml file. That ARG variable is not used in the final image, the value will not be available using the history command. If you are running Windows and PuTTYTray for SSH, you can use the built-in key generator from PuTTY to create a new key pair. Click the Keygen button at the bottom of the PuTTY Configuration window to get started. Then in the Key Generator window, check that the Type of key.

In /home/petri/.ssh/ I have my private key called petri. When I try to connect to my server using ssh, it does not accept my private key. Running -v learns that it is not trying my key petry, but just the non-existent idrsa and iddsa. Steps to Login to SSH Without A Password Step 1: Generate SSH Key Pair On our local machine, we can generate a SSH Key Pair with the following command: $. Step 2: Provide A Passphrase (Optional) Next, we are presented with a prompt that asks us for a passphrase that can be. Step 3: Configure. The ssh client allows you to selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is /.ssh/identity for protocol version 1, and /.ssh/idrsa and /.ssh/iddsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file.

Configuration

The following example uses RSA key pair, this will allow you to run scripts and login from a remote machine against RouterOS using Public/Private key authentication.

Host to RouterOS

Note: commands are run using FreeBSD - should be similar on other platforms.

1) Create a key using ssh-keygen

This creates an RSA key pair that is compatible with Mikrotik.

Note: Make sure to leave the passphrase blank if you are going to be using this key in automated scripts. You do not want to be prompted for a password. Just make sure you keep your private key private (enough said?)!


Warning: If ssh-keygen generates key in openssh format, then add '-m pem' to generate key in PEM format, otherwise you will not be able to import it in ROS!


-m pem

2) Upload the generated key (public) to the target device:

Example: Upload key via FTP


3) Now from either Winbox or terminal mode you need to import the key. An example using terminal mode is given.

The user field above determines which user account will be logged in when you pass the key. For security reasons you should never use the 'admin' account (you knew that right?). Create a separate user account.

Now that you've created a key pair and imported the public key into RouterOS you can start running commands from your remote machine.

Note: If you wish to be able to run ssh / ssh-exec commands from one RouterOS device to another, follow the additional steps below


RouterOS to RouterOS

4) Create a new group with policies:

5) Create a new user and assign the previously created group:


6) Upload private and public keys on the device, from which you wish to use ssh commands with RSA authentication


7) Import both keys for the user:


Now you should be able to authenticate from this device to any other device which has a user with the imported public key

Note: You can disable password login for users with SSH-KEY imported using '/ip ssh set always-allow-password-login=no'


Save a Host key

Use Private Key Ssh Command

Since v6.45.1(stable) RouterOS allows user to save a ssh host key after devices reset. Use the following configuration line

For executing a simple command with ssh you have to enclose command with quotes to tell shell which characters belong to single shell command parameter. If you use double quotes then you have to escape all inside double quotes with backslash .

Another special character which need escaping is single dollar sign $ because it's used for variable handling by shell like bash or sh.

All other special characters evaluated by shell have to be escaped.

Since OpenSSH 7.0 version DSA public key algorithm is considered weak and is deprecated. To be able to use DSA it needs to be enabled explicitly. Put PubkeyAcceptedKeyTypes +ssh-dss to ~/.ssh/config file.

Also to be able to connect to older versions of RouterOS you may need to use additional ssh parameters -o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-dss

Otherwise, use RSA.

Retrieved from 'https://wiki.mikrotik.com/index.php?title=Use_SSH_to_execute_commands_(public/private_key_login)&oldid=34071'

These are my notes (mostly for myself!) on getting SSH authentication through GPG under a variety of Windows 10 environments like native SSH (see c:windowssystem32openssh*), Windows Subsystem for Linux (WSL) and minGW / GIT Bash. Why? So you have a single, GPG based identity on a secure, removable hardware key store like a OpenPGP card (e.g. Yubikey 5) and your SSH keys are based off that GPG identity. No naked RSA SSH keys floating around on disk.

This document does NOT cover generating the GPG keys or moving the GPG profile and keys to the Yubikey. If you want that, see this.

UseKey

NOTE: Everywhere here, replace sid with your username as appropriate e.g. c:Userssid becomes c:Users<yourusername>

– Captain Obvious

Overall idea

The core idea is to install and setup gpg natively on Windows 10. We use gpg-agent to perform SSH authentication via the pageant protocol. So we’ll be building bridges (via sockets and named pipes) to make those cross-environment connections. The complexity comes from the fact that the ends of those bridges (sockets and named pipes) are incompatible, the openssh(=non-pageant) ssh authentication protocol is unreliable and there are multiple SSH installations in most cases.

Windows 10 setup

I actually already had gpg4win but it simply wouldn’t prompt me for the GPG PIN i.e. authentication failed no matter what I tried. After struggling for a day with this, I uninstalled it completely and started fresh. In addition to having your private key on the YubiKey, it is highly recommended you have an air-gapped or offline backup of your public and private keys.

  1. [Optional] Uninstall gpg4win and then delete the c:Userssid.gnupg and C:UserssidAppDataRoaminggnupg folders.
  2. Install gpg4win (download)
  3. Re-import your GPG public key and private key into GPG per this guide. The actual private key stays on the OpenPGP card, just a link to it is imported into GPG.
  4. Edit %APPDATA%gnupggpg-agent.conf to have
    enable-putty-support
  5. Download WSL-SSH-Pageant and install it somewhere e.g. C:toolswsl-ssh-pageant
  6. Start the bridge on the Windows side by
    C:toolswsl-ssh-pageantwsl-ssh-pageant-amd64-gui.exe -systray -verbose -wsl C:toolswsl-ssh-pageantwsl-ssh-agent.sock
  7. Start Windows’ GPG agent by the following powershell command
    & 'C:Program Files (x86)GnuPGbingpg-connect-agent.exe' /bye

Automating it

To start the above bridge automatically at startup, do this:

  1. Open C:UserssidAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
  2. Put one shortcut that runs 'C:Program Files (x86)GnuPGbingpg-connect-agent.exe' /bye
  3. Put another shortcut that runs 'C:toolswsl-ssh-pageantstart wsl-ssh-pageant.bat'
  4. create a file C:toolswsl-ssh-pageantstart wsl-ssh-pageant.bat which has the following. This ensures that a permanent terminal window isn’t kept dangling

If you don’t have the newer cross platform PowerShell (pwsh) used in the above command, install it from here (preferred) or use the older powershell.exe.

SSH auth in WSL

This routes WSL’s SSH authentication across to GPG’s SSH agent using the bridge we setup earlier

  1. Issue this command in a WSL terminal
    export SSH_AUTH_SOCK=/mnt/c/tools/wsl-ssh-pageant/wsl-ssh-agent.sock
  2. test with something like ssh sid@lab-linux13-ubuntu18. You should see a GUI PIN prompt on the Windows 10 side

Automating it

Open a WSL terminal, edit ~/.profile file to add

SSH auth in Windows 10

Windows 10 now ships with a native OpenSSH client that lives in c:windowssystem32openssh. If you just want to open a command prompt or powershell window and ssh away, this is for you.

  1. Run $env:SSH_AUTH_SOCK='.pipewinssh-pageant' in powershell
  2. test with something like ssh sid@lab-linux13-ubuntu18. You should see a GUI PIN prompt on the Windows 10 side
Windows ssh use private keyPrivate

Make GIT use SSH + GPG

Chances are you also want to be able to issue a git command in a regular windows terminal for your work e.g. git fetch. The issue is there are two SSHs even in the pure native Windows 10 side. One in c:windowssystem32openssh and the other installed by GIT at C:Program FilesGitusrbin – and GIT will use it’s version and not the version we just setup above.

To fix that, open a Windows Powershell terminal and type $env:GIT_SSH='C:Windowssystem32OpenSSHssh.exe' and then test it works by issuing git fetch from a suitable git repository (make sure the GIT repo has your corresponding SSH key registered). If all works, you should see the PIN prompt.

Automating it

  1. Windows 10 Start Button -> type environment variables -> Edit environment variables for your account -> User variables for sid -> New
  2. Name = SSH_AUTH_SOCK and value = .pipewinssh-pageant -> Ok
  3. Repeat with Name = GIT_SSH and value = C:Windowssystem32OpenSSHssh.exe -> Ok

SSH auth in Git-Bash (mingw)

When you install git for windows, you get a bash shell that’s based off “Minimalist GNU for Windows” – a minimalist development environment for Windows. GIT runs within that.

  1. Run eval $(/usr/bin/ssh-pageant -r -a '/tmp/.ssh-pageant-$USERNAME')
  2. test with something like ssh sid@lab-linux13-ubuntu18. You should see a GUI PIN prompt on the Windows 10 side

If you’re using SourceTree, switch to putty SSH authentication and

Automating it

Just add the following to your git-bash’s ~/.bashrc or .profile file

WSL setup for running GPG

If all you care is SSH on WSL using gpg-agent on Windows, then the SSH auth bridge setup above is all you need. You do not need this additional bridge. But if you want to use the gpg binary within WSL (e.g. encrypting files), then you need another bridge to handle the gpg communications into the Windows world.

  1. Download npiperelay (link) with GPG support and unzip it to something like c:toolnpiperelaynpiperelay.exe
  2. install socat by sudo apt install socat
  3. in WSL run (it’s all one line)
    socat UNIX-LISTEN:'$HOME/.gnupg/S.gpg-agent,fork' EXEC:'/mnt/c/tools/npiperelay/npiperelay.exe -ei -ep -s -a 'C:/Users/sid/AppData/Roaming/gnupg/S.gpg-agent',nofork
  4. Test by running gpg --card-status in WSL, it should work

Automating it

Add the following to the end of your WSL’s ~/.profile file

Ending comments – Yubico and the state of the ecosystem

Overall, I’m rather disappointed with the quality of software and how they all (don’t) interoperate smoothly. I also contacted Yubico to see if they had any internal documentation since external documentation about this was sparse. Astonishingly their just sent back unrelated links to 3rd party blog posts. If git for Windows, OpenSSH, and GPG don’t work well out of the box, Yubico should be stepping up and providing guidance to smooth that journey since they’re selling security devices that are heavily dependent on that ecosystem.

Troubleshooting

Windows 10’s default OpenSSH authentication agent was disabled but it is unclear if this is a necessary requirement.

Use Specific Private Key Ssh

Start button-> Services -> OpenSSH Authentication Agent -> Stop