Component: ssh
139 changelog entries across 73 version(s)
Activity over time (changelog entries per month)
- added support for ED25519-SK keys;
- improved logging of failed login attempts;
- refactored SSH service internal processes;
- renamed User SSH keys "key-owner" field to "info";
- replaced "always-allow-password-login" with "password-authentication" in SSH settings;
- fixed non-interactive command execution (introduced in v7.20);
- improved stability on busy server;
- show user public key fingerprint under /user/ssh-keys;
- fixed authorization with SSH key when multiple user SSH public keys are imported;
- improved channel resumption after rekey and eof handling;
- added option to configure SSH ciphers (replaced allow-none-crypto parameter);
- do not regenerate host key after update from RouterOS version older than 7.9;
- improved logging;
- improved speed;
- prefer GCM ciphers for arm64 and x86 devices when ciphers=auto;
- fixed SSH cryptographic accelerator selection for GCM cipher (introduced in v7.14);
- fixed unsupported user SSH public key import (introduced in v7.15);
- improved system stability when SSH tries to bind to non-existing interface;
- fixed unsupported user SSH public key import (introduced in v7.15);
- fixed SSH cryptographic accelerator selection (introduced in v7.14);
- added support for user Ed25519 private keys;
- export host Ed25519 public key;
- fixed bogus output;
- fixed permissions to run ".auto.rsc" scripts;
- require "policy" user policy when adding public key;
- require "policy" user policy when adding public key;
- improved SSH performance on ARM, MIPS, MMIPS, SMIPS and TILE devices;
- refactored SSH service internal processes;
- added cipher and hash function acceleration for ARM64 and x86 architectures;
- fix error that caused large chunks of text not being pasted in their entirety into console;
- added support for user ed25519 public keys;
- allow to specify key owner on import;
- fixed SSH tunnel performance (introduced in v7.10);
- improved connection stability when pasting large chunks of text into console;
- fixed host public key export (introduced in v7.9);
- fixed private key import (introduced in v7.9);
- fixed SSH key agreement on the client side when ed25519 used under server settings;
- fixed user RSA private key import;
- added inline key "passphrase" property;
- fixed RouterOS SSH client login when using a key (introduced in v7.9);
- added Ed25519 host key support;
- added support for Ed25519 key export and import in PKCS8 format;
- do not allow SHA1 usage with strong crypto enabled;
- improved service responsiveness when changing SSH service settings;
- improved SSH key import process;
- hard-coded "localhost" address for forwarding requests;
- improved system stability when processing none-crypto SSH connection;
- added support for Ed25519 key exchange;
- do not allow SHA1 usage with strong crypto enabled;
- fixed handling of non standard size RSA keys;
- increased key generation timeout;
- added AES support for PEM decryption;
- fixed importing of public keys;
- fixed minor typo issue when importing public key;
- disable ssh-rsa when strong-crypto=yes and use rsa-sha2-sha256;
- fixed host key generation (introduced in v7.3);
- implemented "server-sig-algs" extension in order to improve rsa-sha2-sha256 support;
- added AES-GCM cipher support;
- fail non-interactive client after first invalid password;
- fixed corrupt host key automatic regeneration;
- fixed private key usage after downgrade;
- removed DSA public key authentication support;
- fixed forwarding with IPv6 link-local addresses;
- fixed "undo" functionality;
- return proper error code from executed command;
- fixed returned output saving to file when "output-to-file" parameter is used;
- skip interactive authentication when not running in interactive mode;
- improved SSH service stability when receiving bogus packets;
- added support for RSA keys with SHA256 hash (RFC8332);
- fixed SHA256 user authentication algorithm checking (introduced in v6.46.4);
- added support for RSA keys with SHA256 hash (RFC8332);
- fixed output printing when "command" parameter used;
- fixed output printing when "command" parameter used;
- accept remote forwarding requests with empty hostnames;
- fixed carriage return presence in subsequent sessions;
- improved remote forwarding handling (introduced in v6.44.3);
- fixed carriage return presence in subsequent sessions;
- do not enable "none-crypto" if "strong-crypto" is enabled on upgrade (introduced in v6.45);
- fixed executed command output printing (introduced in v6.45);
- fixed non-interactive multiple command execution;
- accept remote forwarding requests with empty hostnames;
- added new "ssh-exec" command for non-interactive command execution;
- fixed non-interactive multiple command execution;
- improved remote forwarding handling (introduced in v6.44.3);
- improved session rekeying process on exchanged data size threshold;
- keep host keys when resetting configuration with "keep-users=yes";
- use correct user when "output-to-file" parameter is used;
- do not generate host key on configuration export;
- added "both", "local" and "remote" options for "forwarding-enabled" parameter;
- do not generate host key on configuration export;
- fixed multiline non-interactive command execution;
- close active SSH connections before IPsec connections on shutdown;
- added "allow-none-crypto" parameter to disable "none" encryption usage (CLI only);
- added error log message when key exchange fails;
- close active SSH connections before IPsec connections on shutdown;
- fixed public key format compatibility with RFC4716;
- disconnect all active connections when device gets rebooted or turned off;
- strengthen strong-crypto (add aes-128-ctr and disallow hmac sha1 and groups with sha1);
- allow to use "diffie-hellman-group1-sha1" on TILE and x86 devices with "strong-crypto" disabled;
- fixed SSH service becoming unavailable;
- fixed SSH service becoming unavailable;
- generate SSH keys only on the first connect attempt instead of the first boot;
- improved key import error messages;
- remove imported public SSH keys when their owner user is removed;
- do not use DH group1 with strong-crypto enabled;
- enforced 2048bit DH group on tile and x86 architectures;
- do not execute command if it starts with "-" symbol;
- do not execute command if it starts with "-" symbol;
- fixed high memory consumption when transferring file over ssh tunnel;
- fixed high memory consumption when transferring file over ssh tunnel;
- added routing-table setting (cli only);
- fixed lost "/ip ssh" settings on upgrade from version older than 5.15;
- add rsa host key size parameter;
- simplify login process;
- fixed crash on failed scp read;
- fixed connection stalling;
- make export verbose work;
- avoid double session clean-up;
- fix active user accounting;
- fix key exchange when first kex packet follows.
- fix session clean-up;
- fixed possible kernel crash;
- fix session clean-up;
- avoid double session clean-up;
- fix key exchange when first kex packet follows.
- allow host key import/export;
- use 2048bit RSA host key when strong-crypto enabled;
- support RSA keys for user authentication;
- allow to specify pass as argument for private key import;
- added option '/ip ssh stong-crypto'
- added aes-ctr cipher support;
- check conn state before sending disconnect message;
- fixed ssh related crashes;
- fixed denial of service;
- fixed denial of service;
- added /ip ssh regenerate-host-key which will regenerate current host key;
- fixed interoperability problem with psftp based clients;
- fix mempry leak when client uses public key authentication;
- fix possible server crash when connection is interrupted;