1

I want to generate an SSHFP record for my Mikrotik CCR2004 running RouterOS 6.47.4, without getting the key over the network. How can I do this from the console?

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92

1 Answers1

1

Regenerate the host key if needed (e.g. if changing the modulus length):

ip ssh regenerate-host-key

The CLI will hang for a moment. When it's back:

ip ssh export-host-key
file print

You'll get something like:

[admin@MikroTik] > file print
 # NAME                   TYPE                        SIZE CREATION-TIME
 0 hostKey_rsa            file                        3272 jan/03/1970 18:35:53
 1 hostKey_rsa.pub        ssh key                      796 jan/03/1970 18:35:53
 2 hostKey_dsa            file                         668 jan/03/1970 18:35:53
 3 hostKey_dsa.pub        ssh key                      604 jan/03/1970 18:35:53

Print the one you want:

file print detail where name=hostKey_rsa.pub

Remove the extra spaces from the beginning of the printed key, and put it in a file e.g. router_pubkey.pem. Then on your box:

openssl rsa -in router_pubkey.pem -pubin -RSAPublicKey_out |
  ssh-keygen -f /dev/stdin -i -m PEM |
  ssh-keygen -f /dev/stdin -r hostname

The openssl command converts the key to PKCS#1 format (just an integer sequence, instead of an ASN.1 rsaEncryption object). The ssh-keygen invocations respectively import the key into OpenSSH format, and then generate the fingerprints and print SSHFP records.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92