- SSH Server
- Properties
- Enabling PKI authentication
- SSH Client
- Simple log-in to remote host
- Log-in from certain IP address of the router
- Log-in using RSA public/private key
- Executing remote commands
- SSH exec
- Retrieve information
- How to ssh port forwarding in router – Step-by-Step Guide for Beginners
- Scenario Of SSH port Forwarding
- What is port forwarding?
- How to setup ssh port forwarding
- If Appreciate My Work, You should consider:
SSH Server
RouterOS has built in SSH server that is enabled by default and is listening for incoming connections on port TCP/22. It is possible to change the port and disable the server under Services menu.
Properties
Sub-menu: /ip ssh
- no — SSH forwarding is disabled;
- local — Allow SSH clients to originate connections from the server(router), this setting controls also dynamic forwarding;
- remote — Allow SSH clients to listen on the server(router) and forward incoming connections;
- both — Allow both local and remote forwarding methods.
- prefer 256 and 192 bit encryption instead of 128 bits;
- disable null encryption;
- prefer sha256 for hashing instead of sha1;
- disable md5;
- use 2048bit prime for Diffie Hellman exchange instead of 1024bit.
- key-file-prefix — used prefix for generated files, for example, prefix ‘my’ will generate files ‘my_rsa’, ‘my_rsa.pub’ etc.
- private-key-file — name of the private RSA/Ed25519 key file
Enabling PKI authentication
Example of importing public key for user admin
Generate SSH keys on the client device (the device you will connect from). Upload the public SSH key to the router and import it.
/user ssh-keys import public-key-file=id_rsa.pub user=admin
SSH Client
Sub-menu: /system ssh
Simple log-in to remote host
It is able to connect to remote host and initiate ssh session. IP address supports both IPv4 and IPv6.
/system ssh 192.168.88.1 /system ssh 2001:db8:add:1337::beef
In this case user name provided to remote host is one that has logged into the router. If other value is required, then user= has to be used.
/system ssh 192.168.88.1 user=lala /system ssh 2001:db8:add:1337::beef user=lala
Log-in from certain IP address of the router
For testing or security reasons it may be required to log-in to other host using certain source address of the connection. In this case src-address= argument has to be used. Note that IP address in this case supports both, IPv4 and IPv6.
/system ssh 192.168.88.1 src-address=192.168.89.2 /system ssh 2001:db8:add:1337::beef src-address=2001:db8:bad:1000::2
in this case, ssh client will try to bind to address specified and then initiate ssh connection to remote host.
Log-in using RSA public/private key
Example of importing private key for user admin
First of all, export currently generated SSH keys to a file:
/ip ssh export-host-key key-file-prefix=admin
Two files admin_rsa and admin_rsa.pub will be generated. The pub file needs to be trusted on the SSH server side (how to enable SSH PKI on RouterOS) The private key has to be added for the particular user.
/user ssh-keys private import user=admin private-key-file=admin_rsa
Only user with full rights on the router can change ‘user’ attribute value under /user ssh-keys private
After the public key is installed and trusted on the SSH server, a PKI SSH session can be created.
Executing remote commands
To execute remote command it has to be supplied at the end of log-in line
/system ssh 192.168.88.1 "/ip address print" /system ssh 192.168.88.1 command="/ip address print" /system ssh 2001:db8:add:1337::beef "/ip address print" /system ssh 2001:db8:add:1337::beef command="/ip address print"
If the server does not support pseudo-tty (ssh -T or ssh host command), like mikrotik ssh server, then it is not possible to send multiline commands via SSH
For example, sending command «/ip address \n add address=1.1.1.1/24» to MikroTik router will fail.
If you wish to execute remote commands via scripts or scheduler, use command ssh-exec.
SSH exec
Sub-menu: /system ssh-exec
Command ssh-exec is a non-interactive ssh command, thus allowing to execute commands remotely on a device via scripts and scheduler.
Retrieve information
The command will return two values:
- exit-code: returns 0 if the command execution succeeded
- output: returns the output of remotely executed command
Example: Code below will retrieve interface status of ether1 from device 10.10.10.1 and output the result to «Log»
:local Status ([/system ssh-exec address=10.10.10.1 user=remote command=":put ([/interface ethernet monitor [find where name=ether1] once as-value]->\"status\")" as-value]->"output") :log info $Status
For security reasons, plain text password input is not allowed. To ensure safe execution of the command remotely, use SSH PKI authentication for users on both sides.
the user group and script policy executing the command requires test permission
How to ssh port forwarding in router – Step-by-Step Guide for Beginners
Hello friends, Welcome on my blog
This article will cover scenario of port forwarding, what is port forwarding and How to ssh port forwarding. I will describe about ssh port forwarding you can do for other services as well.
Scenario Of SSH port Forwarding
I have run an SSH server at my office and the LAN IP address is 192.168.0.3 and the Wan IP address is XXX.83.2.35. I have another laptop at my home, it has putty ssh client installed on window 10. I tried to access my Office ssh server from home by using the servers’ LAN/WAN IP address but failed. because the problem is there LAN IP address is only accessible from the LAN network. but later I found ssh port forwarding can solve this problem. After ssh port forwarding in my office router, I was able to access ssh server by using my home laptop. So in this article, I am going to describe each and everything related ssh port forwarding.
What is port forwarding?
Port forwarding is a process that redirects a communication request from one IP address and port number to another IP address and port number through a router or firewall.
After the port forwarding the request for SSH server on WAN IP address at the office will be redirected to the local IP address of ssh server at the office. It means now I will be able to access the office ssh server from my home laptop. Not Only SSH service, but you can also port forwarding for any service such as HTTP/HTTPS, FTP, Telnet, etc.
How to setup ssh port forwarding
In this section, I am going to tell you about how to set up ssh port forwarding. for the port forwarding, you must have access to the router where you want to redirect requests to another local computer, So you can set up the ssh port forwarding. The most different router has different methods to configure for port forwarding, but all the processes are the same. I am using a TP-LINK router so I will describe each and everything on the router.
You should follow the giving instruction for ssh port forwarding:
- First I am going to check the status of running ssh server at local machine. I am going to access local ssh server by using putty ssh client. In the following image you can see “ssh server is running on local computer. But at the same time when I am trying to access ssh server through WAN IP. I get the error. See in following image
- Access Router: Access the router by browsing the router IP address through web browser. Enter the correct username and password for accessing router’s configuration page.
- Click on Forwarding > Virtual Server and fill the required fields, and save.
- After click on save you can see you have added on entry of virtual server.
You can see here is two options one for modify entry and another for delete. if you want to modify port forwarding click on modify. if you dont want port forwarding any more click on delete and delete the entry. - SSH port forwarding Check / Test: Now again try to access ssh server through WAN ip address from your home laptop. and you will get success this time.
If Appreciate My Work, You should consider:
- Join Group for Discussion Facebook Group
- Get your own self-hosted blog with a Free Domain at ($2.96/month)
- Buy a Coffee to Us! Make Small Contribution by Paypal
- Support us by taking our :Online Courses
- Contact me : [email protected]