It all started with the need for backup. I had to do two things. First create a backup user with read-only access and then to automate gathering of exported configuration using SSH. And, as a twist, SSH would need to use RSA - something WinBox started supporting only recently (since 6.31).
The easiest way to configure this is to enter commands into New Terminal from WinBox. I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.
Before creating user itself we need to create a group without any rights, followed by user creation:
/user
group add name=backup policy=
add name=backup group=backup
With the user in hand, we should get key authentication going. Do notice that key.txt contents should be the public key for use with login. How to generate it is out of scope but just google PuttyGen and you can find a lot of information about this. In any case, we can set publick key for user by using the following commands:
/file
print file=key.txt
set key.txt contents="ssh-rsa ..."
/user
ssh-keys import public-key-file=key.txt user=backup
After assigning key to a user, we can give it appropriate rights - in my case those were ssh
and read
. Do notice that policy could have been set while creating group but that would allow user to login without any password until SSH key was set. While window is short and chance is really remote, I prefer to avoid it:
/user
group set [find name=backup] policy=ssh,read
If everything has been done correctly, you can log into router using your RSA keys and you can run export
command to gather current configuration.
PS: If you are limiting MACs to be used with SSH beware that Mikrotik supports only hmac-sha1
.