Feature Request: Ed25519 SSH keys

th0massin0 · Tue Jun 07, 2016 1:20 pm

As in subject, everybody will sleep better if the support of Ed25519 keys will be available in ROS7 (or 6!)

azol · Tue Oct 03, 2017 6:18 pm

agree, +1

WzL · Thu Nov 16, 2017 10:24 pm

+1, this feature is much missed here!

Anastasia · Mon Jan 28, 2019 3:06 pm

+1 add support Ed25519.

cypa · Mon Mar 23, 2020 1:34 pm

+1 we need this!!!

msatter · Mon Mar 23, 2020 1:47 pm

search.php?keywords=Ed25519

cypa · Mon Mar 23, 2020 1:58 pm

OK could you please hint what do I do wrong?

[cypa@hAP.k16] > user ssh-keys import public-key-file=id_ed25519.pub unable to load key file (wrong format?) ! [cypa@hAP.k16] > system resource print uptime: 56m26s version: 6.46.4 (stable) build-time: Feb/21/2020 11:26:37 factory-software: 6.34.2 free-memory: 6.4MiB total-memory: 32.0MiB cpu: MIPS 24Kc V7.4 cpu-count: 1 cpu-frequency: 650MHz cpu-load: 7% free-hdd-space: 7.7MiB total-hdd-space: 16.0MiB write-sect-since-reboot: 115 write-sect-total: 30299 bad-blocks: 0% architecture-name: smips board-name: hAP lite platform: MikroTik [cypa@hAP.k16] >

eworm · Mon Mar 23, 2020 3:24 pm

Nothing wrong, ed25519 is not supported.

VVL · Thu Sep 03, 2020 1:53 am

Nothing wrong, ed25519 is not supported.

In 7.1beta2 wireguard protocol was added. It use ed25519 as one of algorithm. Maybe it possible to add ssh support of this algo too?

Markg23 · Tue Dec 08, 2020 1:39 pm

+1 It would be great if RouterOS support ssh Ed25519 keys

mkx · Tue Dec 08, 2020 9:05 pm

In 7.1beta2 wireguard protocol was added. It use ed25519 as one of algorithm. Maybe it possible to add ssh support of this algo too?

wireguard and ssh don't necessarily share encryption libraries so support for certain key types in one of these services doesn't mean support for same key type in the other service. However the trend in IT is to re-use things and hopefully wireguard and ssh will share encryption library ... not only to provide same level of support for key types but to reduce size of install as well.

akschu · Tue Jun 22, 2021 9:55 pm

Please! I'm deploying cert based auth and this is needed.

Paradox · Fri Oct 15, 2021 3:53 pm

Hi,

I'd like to use Ed25519 SSH keys, too. I do not use any other key formats anymore.

Please add it!

yottabit · Thu Nov 25, 2021 5:51 pm

6.49.1 here and still no support for ed25519 keys. As I can no longer use sha-1 RSA keys, I would like to use the currently most secure format and not manage so many different keys just because a vendor refuses to update security to the best practices.

Can we get ed25519 support in v6 please??

Edit: I can't even get ecdsa to import, sigh.

Edit 2: workaround for now is to use rsa-sha2-256, which is still not as secure as ed25519 but it's the best that RouterOS v6 currently supports. To generate this key using openssh:

$ ssh-keygen -t rsa-sha2-256

I'm still going to be maintaining this weaker key for RouterOS only, and an ed25519 key for everything else.

eworm · Thu Nov 25, 2021 5:54 pm

I have a support/feature ticket on that topic (SUP-61929). Answer from MikroTik:

Thank you for your feedback. We will consider adding this feature in the future.

That's better than 'No' I guess... So go and place your own issue...

yottabit · Thu Nov 25, 2021 6:15 pm

Done, SUP-67007.

guipoletto · Thu Nov 25, 2021 11:20 pm

Done, SUP-67007.

did they offer a timeline?

msatter · Thu Nov 25, 2021 11:49 pm

I only know the start of the first request and that was more than 5 years ago.

eworm · Fri Nov 26, 2021 12:35 am

Timeline? Currently we do not know whether or not we will see this any time soon or at all.
So if you want this... Open your own issue to make Mikrotik aware of the interest.

osc86 · Tue Apr 12, 2022 6:00 pm

It seems we first need support for modern signature algorithms (rsa-sha2-256/512, ssh-ed25519, ecdsa-sha2-nistp256/384/521).
OpenSSH 9.0的发布,将officially deprecated and disabled by default, which seems to be the only supported algorithm in RouterOS 6+7 (next to ssh-dss, also deprecated).
Connecting to the router using a rsa key now fails, and adding an exception to allow ssh-rsa again on every machine running openssh 9.0+ is not an option.

yottabit · Tue Apr 12, 2022 9:17 pm

Done, SUP-67007.

did they offer a timeline?

不。他们没有提交到v6,只是说"shortly" for v7. That was on 2021-12-28. No updates since.

CarlitoxxPro · Mon Jun 20, 2022 1:55 pm

+1, this should be a must

@strods, please could you ping internally to the security team and let us know if is in the roadmap and what is the ETA.

Thanks in advance.

mikrotip · Sat Sep 10, 2022 5:01 pm

What is the problem? 6 years passed. Is there some update about the feature?

foorschtbar · Wed Sep 21, 2022 4:01 pm

I switched to ed25519 and my Mikrotik devices are the only ones that don't support it yet

rextended · Wed Sep 21, 2022 4:05 pm

Patience, you don't have to protect the "Deutsche Bank" anyway, right?

Thu Sep 22, 2022 1:15 am

Six years stretches the word “patience” all out of shape.

This in a world where RouterOS has dropped DSA (as it should) leaving only the semi-obsolescent RSA, a tech older than most of the board’s participants, I’d warrant.

It’s past time for this lack to be filled. The option to DIY a fix for ourselves with containers is either unavailable or unpalatable: most devices aren’t ARM, and even with those that are, a scripted bounce thru an OpenSSH container sucks.

Get it done, MikroTik!

foorschtbar · Thu Sep 22, 2022 2:13 pm

Patience, you don't have to protect the "Deutsche Bank" anyway, right?

When u today create a new Keypair, why not use ED25519? There more improvements, like the shorter keys, and not only MoRE SEcuRe!!!11elf

yottabit · Thu Sep 22, 2022 4:38 pm

Most of my ssh hosts won't even accept rsa keys anymore. So I have to maintain ed25519 for them, and a separate rsa key just for the RouterOS hosts. It's very annoying.

gazmirb · Sun Jan 22, 2023 1:45 pm

either with update 7.7 my mikrotik doesnt support Ed25519 key

shalak · Sun Jan 22, 2023 9:05 pm

As of the most recent macOS update (Ventura, 13.1), by default it no longer allows RSA to be used for SSH client.

You have to explicitly allow it in SSH config:

Host * PubkeyAcceptedKeyTypes=+ssh-rsa HostKeyAlgorithms=+ssh-rsa

Any updates on implementing ed25519?

yottabit · Sun Jan 22, 2023 9:10 pm

6.5 years since original post. 2 years since they said "shortly" in my ticket. We need a reference for what "shortly" means in this case? Software dev cycles? Human lifespan? Galactic time scale?

fmikker · Tue Jan 31, 2023 5:04 pm

I'm still waiting too..

seb13 · Thu Feb 02, 2023 5:10 pm

+1!

Naoy · Wed Mar 08, 2023 12:17 am

We're in 2023 and Ed25519, the most used ECDH protocol, is still not supported...

eworm · Wed Mar 08, 2023 10:13 pm

Perhaps in 7.9beta?*holding thumbs*

majestic · Wed Mar 08, 2023 10:46 pm

+1 this should really of been added in many years ago. This should not be too hard to implment.

rextended · Wed Mar 08, 2023 11:22 pm

This should not be too hard to implment.

Like count on BGP routes?

Sob · Thu Mar 09, 2023 12:09 am

Reinventing the wheel properly takes time.

And they like to do it a lot, example:viewtopic.php?p=965896#p965896

JohnConnett · Fri Mar 10, 2023 1:10 pm

+1. Really surprised thisstillisn't supported in 2023!

Paradox · Mon Mar 20, 2023 5:39 pm

I have a support/feature ticket on that topic (SUP-61929).

Also did a feature request...

laca77 · Fri Mar 31, 2023 2:57 pm

What's new in 7.9beta4 (2023-Mar-23 15:01):
*) ssh - added Ed25519 host key support;

Fri Mar 31, 2023 5:34 pm

That's only the host key part. It doesn't let you set up pre-shared ed25519 keys per user.

One hopes the latter piece is coming later in the 7.9 beta process.

theprojectgroup · Sat Apr 01, 2023 9:11 pm

+1. Please, still unsupported in 2023?

laca77 · Thu Apr 06, 2023 12:35 pm

7.9rc2 changelog:
Changes in this release:

*) ssh - added support for Ed25519 key export and import in PKCS8 format;

eworm · Thu Apr 06, 2023 5:37 pm

This is still just host key support, not public key authentication.

rotor · Wed May 03, 2023 12:58 pm

Confirmed it still doesn't import on 7.9.

[admin@MikroTik] > /user/ssh-keys/import public-key-file=id_ed25519.pub user=admin unable to load key file (wrong format or bad passphrase)! [admin@MikroTik] > /system/resource/print uptime: 13h5m31s version: 7.9 (stable) build-time: May/02/2023 05:35:06 factory-software: 6.46.3 free-memory: 201.8MiB total-memory: 256.0MiB cpu: MIPS 1004Kc V2.15 cpu-count: 4 cpu-frequency: 880MHz cpu-load: 4% free-hdd-space: 4208.0KiB total-hdd-space: 16.0MiB write-sect-since-reboot: 2563 write-sect-total: 375345 architecture-name: mmips board-name: hEX platform: MikroTik [admin@MikroTik] >

infabo · Wed May 10, 2023 2:41 pm

And now I'd like to use my ED25519-SK token for public key authentication. That's still not possible in ROS 7.9

mantouboji · 我2023年5月29日22点

how long should we wait ？

rextended · Mon May 29, 2023 11:26 am

how long should we wait ？

Until it's finished.

lucidnx · Sat Jun 10, 2023 4:59 pm

I would love ed25519-sk support as well since I am using yubikeys.

mantouboji · Wed Jul 19, 2023 12:04 pm

How about the progress ?

eworm · Thu Aug 17, 2023 1:02 pm

Available now in 7.12beta1!

Who is online