SSH (Secure Shell)

SSH (Secure Shell)

Version Info

RouterOS 7.16 | Min: v6.0+ | ⏱️ 10 minutes | 🟢 Beginner

Tested on: 7.16 7.14

Version-specific notes

• v7.12+: Ed25519 key support; works with modern OpenSSH without extra config
• v6.31: RSA key authentication added
• v6.x: Requires PubkeyAcceptedAlgorithms +ssh-rsa in SSH client config for modern OpenSSH

TL;DR (Quick Start)

For the impatient: secure SSH with key-based authentication.

On your workstation:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/mikrotik_rsa
scp ~/.ssh/mikrotik_rsa.pub [email protected]:

On the router:

/user/ssh-keys/import public-key-file=mikrotik_rsa.pub user=admin
/ip/ssh/set always-allow-password-login=no

Now connect without password:

ssh -i ~/.ssh/mikrotik_rsa [email protected]

Overview

What this does: SSH provides encrypted remote access to RouterOS via command line. It supports password and public key authentication, with options to enforce key-only access for enhanced security.

When to use this:

• Secure remote administration
• Automated scripting and configuration management
• Replacing insecure Telnet access
• Passwordless authentication for scripts/automation

Prerequisites:

• SSH service enabled (default: yes, port 22)
• Network access to router on TCP port 22
• For key auth: SSH key pair generated on client

SSH Server Configuration

View Current Settings

/ip/ssh/print

Default output:

  forwarding-enabled: no
  host-key-size: 2048
  strong-crypto: no
  always-allow-password-login: no

Enable Strong Cryptography

Use stronger encryption and larger DH primes:

/ip/ssh/set strong-crypto=yes

This enables:

• AES-256 and AES-192 (vs AES-128)
• Stronger HMAC algorithms
• Larger Diffie-Hellman primes

Change SSH Port (Security)

Move SSH to a non-standard port:

/ip/service/set ssh port=2222

Restrict SSH to Management Network

Allow SSH only from specific IP ranges:

/ip/service/set ssh address=192.168.1.0/24,10.0.0.0/8

Configuration Steps: Key-Based Authentication

Step 1: Generate SSH Key (On Workstation)

Linux/macOS:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/mikrotik_rsa -N ""

For RouterOS 7.12+ (Ed25519 preferred):

ssh-keygen -t ed25519 -f ~/.ssh/mikrotik_ed25519 -N ""

Step 2: Copy Public Key to Router

Using SCP:

scp ~/.ssh/mikrotik_rsa.pub [email protected]:

Or using SSH:

cat ~/.ssh/mikrotik_rsa.pub | ssh [email protected] "tee mikrotik_rsa.pub"

Step 3: Import Key on Router

/user/ssh-keys/import public-key-file=mikrotik_rsa.pub user=admin

Step 4: Verify Key Import

/user/ssh-keys/print

Expected output:

Columns: USER, BITS, KEY-OWNER
#  USER   BITS  KEY-OWNER
0  admin  4096  user@workstation

Step 5: Disable Password Authentication

Enforce key-only authentication:

/ip/ssh/set always-allow-password-login=no

Step 6: Test Connection

ssh -i ~/.ssh/mikrotik_rsa [email protected]

Common Scenarios

Scenario: SSH from Router to Another Device

Use the router as an SSH client:

/system/ssh 192.168.1.100 user=admin

Execute a single command:

/system/ssh 192.168.1.100 user=admin command="/system/identity/print"

Scenario: SSH in Scripts (Non-Interactive)

For automation, use /system/ssh-exec:

/system/ssh-exec address=192.168.1.100 user=admin command="/ip/address/print"

Returns exit-code and output for script processing.

Use SSH key authentication for automation. Never put passwords in scripts.

Scenario: Regenerate Host Keys

Generate new host keys (invalidates existing keys):

/ip/ssh/regenerate-host-key

Scenario: Export Host Keys (Backup)

Export host keys for backup or transfer:

/ip/ssh/export-host-key key-file-prefix=router1

Creates router1_rsa (private) and router1_rsa.pub (public) files.

Scenario: Import Host Keys (Restore)

Restore previously exported host keys:

/ip/ssh/import-host-key private-key-file=router1_rsa

Scenario: Configure SSH Client (Modern OpenSSH + RouterOS 6.x)

If using RouterOS 6.x with OpenSSH 8.8+, add to ~/.ssh/config:

Host 192.168.88.1
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostKeyAlgorithms +ssh-rsa

This enables RSA support deprecated in modern OpenSSH.

Scenario: Enable Port Forwarding

Allow SSH tunneling:

/ip/ssh/set forwarding-enabled=both

Options:

• no: Disabled (default)
• local: Local forwarding only
• remote: Remote forwarding only
• both: Both directions

Scenario: Multiple Keys for Different Users

Import keys for multiple users:

/user/ssh-keys/import public-key-file=admin_key.pub user=admin
/user/ssh-keys/import public-key-file=backup_key.pub user=backup

Each user can have their own key.

Verification

Confirm SSH is properly configured:

Check 1: Verify SSH Service Status

/ip/service/print where name=ssh

Expected: disabled: no, correct port and address restrictions.

Check 2: Verify SSH Settings

/ip/ssh/print

Expected: strong-crypto: yes, always-allow-password-login: no for secure config.

Check 3: List Imported Keys

/user/ssh-keys/print

Expected: Keys listed for appropriate users.

Check 4: Test Key Authentication

From workstation:

ssh -v -i ~/.ssh/mikrotik_rsa [email protected]

Look for “Authenticated” in verbose output.

Troubleshooting

Symptom	Cause	Solution
”Permission denied (publickey)“	Key not imported or wrong user	Verify key imported for correct user
Password prompt despite key	always-allow-password-login=yes	Set to no; re-import key
”no matching host key type found”	OpenSSH 8.8+ with RouterOS 6.x	Add HostKeyAlgorithms +ssh-rsa to SSH config
”no matching key exchange method”	Algorithm mismatch	Enable strong-crypto=yes or adjust client config
Connection refused	SSH service disabled or firewalled	Enable service; check firewall rules
Key import fails	Wrong key format	Use OpenSSH format; ensure no extra whitespace
Can’t connect after key import	Wrong key file used	Verify using correct private key with -i flag

Debug: Check SSH Service

/ip/service/print where name=ssh

Ensure disabled: no and port is correct.

Debug: Verbose SSH Connection

ssh -vvv -i ~/.ssh/mikrotik_rsa [email protected]

Shows detailed authentication process.

Debug: Check Key Format

Public key should start with ssh-rsa or ssh-ed25519:

cat ~/.ssh/mikrotik_rsa.pub

Common Mistakes

• Importing private key instead of public - Only .pub file should be imported
• Wrong user specified during import - Key only works for the specified user
• Key file permissions too open - Private key must be chmod 600
• Forgetting -i flag - Specify key with ssh -i ~/.ssh/keyfile
• RouterOS 6.x with modern OpenSSH - Requires client-side algorithm configuration

Community Tips

Automation Best Practice: Always use SSH keys (never passwords) for scripts and automation. Use /system/ssh-exec for non-interactive commands.

Backup Host Keys: Export host keys before router replacement:

/ip/ssh/export-host-key key-file-prefix=backup

Restoring them prevents SSH client warnings about changed host keys.

Ed25519 for v7.12+: Ed25519 keys are smaller, faster, and work with modern OpenSSH without extra configuration:

ssh-keygen -t ed25519 -f ~/.ssh/mikrotik

Restrict Management Access: Combine SSH restrictions with firewall rules:

/ip/service/set ssh address=10.0.0.0/8
/ip/firewall/filter/add chain=input protocol=tcp dst-port=22 \
    src-address=!10.0.0.0/8 action=drop

Security Best Practices

1. Use key-based authentication - Disable password login after importing keys
2. Enable strong-crypto - Use stronger encryption algorithms
3. Change default port - Reduces automated brute-force attempts
4. Restrict by IP - Allow SSH only from management networks
5. Use Ed25519 keys - Faster and more secure than RSA (v7.12+)
6. Disable unused services - Turn off Telnet, MAC-Telnet if not needed

Related Topics

Prerequisites

• User Management - user accounts for SSH access

Security

• Firewall Basics - restrict SSH access by IP
• Certificates - SSH key management
• Logging - log SSH access attempts

Related Access Methods

• Console - serial console access
• RoMon - remote management over MikroTik network

Reference

• MikroTik SSH Documentation
• MikroTik Security Guide

SSH Server Properties (/ip/ssh)

Property	Type	Default	Description
always-allow-password-login	yes/no	no	Allow password auth for users with keys
strong-crypto	yes/no	no	Use stronger encryption/HMAC
forwarding-enabled	enum	no	Port forwarding: no/local/remote/both
host-key-size	integer	2048	RSA key size (1024-8192)
host-key-type	enum	rsa	Key type: rsa or ed25519

SSH Server Commands

Command	Description
/ip/ssh/print	View SSH configuration
/ip/ssh/set	Modify SSH settings
/ip/ssh/regenerate-host-key	Generate new host keys
/ip/ssh/export-host-key	Export host keys
/ip/ssh/import-host-key	Import host keys

SSH Key Management (/user/ssh-keys)

Command	Description
/user/ssh-keys/import	Import public key for user
/user/ssh-keys/print	List imported keys
/user/ssh-keys/remove	Remove imported key

SSH Client Commands

Command	Description
/system/ssh	Interactive SSH connection
/system/ssh-exec	Non-interactive command execution

Supported Key Types

Key Type	RouterOS Version	OpenSSH Compatibility
RSA	6.31+	Requires config for OpenSSH 8.8+
Ed25519	7.12+	Works with all modern OpenSSH
DSA	Legacy	Deprecated, not recommended

Cipher Options

Cipher	Security	Notes
aes-256-ctr	High	Recommended with strong-crypto
aes-192-ctr	High	Good alternative
aes-128-ctr	Medium	Default without strong-crypto
aes-256-gcm	High	Authenticated encryption
3des-cbc	Low	Legacy, avoid if possible