How can multiple private keys be used with ssh? Figure 9 – Assigning a name to. These scenarios are scoped only to a situation in which the VM is provisioned by using cloud-init and the user selects additional Azure features that rely on certificates, such as a system-managed service identity. There have been incidents when thousands. Multiple SSH keys can be added to workloads to allow more than one user to connect and manage the virtual machine. Mindmanager 2020 with crack.
- 2x 10gbit aka SFP+
- 24x+ 1gbit
- Web UI with LetsEncrypt SSL certificates
- SFP+ links work consistency on system reboot
I could easily focus on other goals. Both switches have lots of features, and their own pluses and minuses. I am only trying to meet my limited goals. ES-48-LITE
I bought this in April of 2017 from Amazon for $390.40($358.99+ $31.41 tax). It is a nice switch, and isn't too noisy like some higher end models. It works well in my home office.
It easily checks goals 1 and 2. It checks the Web UI and SSL parts of goal 3, but not LetsEncrypt. When I first got it I was just buying a wildcard SSL certificate, *.mydomain.tld for $42 from AlphaSSL through SSL2Buy. Since then LetsEncrypt has taken off, and now supports wildcard certificate itself. I now no longer see a good reason to pay for SSL certificates in most cases. Given the ES-48-LITE's limited OS I didn't see a good way to automate the process of uploading a certificate. Even better would be built-in support, or the ability to run a LetsEncrypt client natively on the switch. I am not aware of any switch that lets you do that.
Something I had been living with since day one with the ES-48-LITE is that it doesn't consistency re-establish the SFP+ links on system reboot. This has been very annoying, but I don't reboot my two SFP+ systems that often, so I have lived with it. This is how the ES-48-LITE doesn't meet goal 4.
I have tried multiple SFP+ DAC cables, multiple fiber transceivers, different 10gbit SFP+ cards, and switch firmware upgrades. Nothing has resolved this issue. This issue also isn't unique to me. I have over the years read many forum threads of people having the same problems. MikroTik CRS326-24G-2S+RM:
I considered a MikroTik switch back when I bought the ES-48-LITE. It seemed at the time that Ubiquiti was a little higher end, and obviously has more ports.
Given my problems with the ES-48-LITE I reconsidered, and found I could get a CRS326-24G-2S+RM from Amazon for $199.99($184.75+$15.24 tax). I ordered it, and set it up last night. It out of the box obviously meets goals 1 and 2.
My first impressions of it are that it is small and quiet. That it has an external power supply is a downside, but acceptable.
With the CRS326-24G-2S+RM booted into RouterOS I can automate the upload of a LetsEncrypt certificate with https://github.com/gitpel/letsencrypt-routeros
. This is enabled by RouterOS's support for SCPing files. I didn't need it to generate the SSL certificate via certbot, because I am already generating a wildcard certificate on my NAS with lego, https://github.com/go-acme/lego
. So I commented out the calls to certbot, and changed it to read my lego certificate. This meets goal 3.
So far in my testing the CRS326-24G-2S+RM meets goal 4, because reboots of the systems don't intermittently drop the link.
The first issue was I couldn't get ssh keys to work. My first thought was key size. My second thought was the newer OpenSSH key format. What I ended up finding is that my newer OpenSSH client, 8.4, didn't like the signature algorithm. I only found this with the -v option for the ssh command. The error was "debug1: send_pubkey_test: no mutual signature algorithm". Googling that I found "PubkeyAcceptedKeyTypes ssh-rsa" in my ~/.ssh/config for this Host allowed the two to work together. I also needed to set "PreferredAuthentications publickey" to get it to not start by asking for a password first. The dedicated key is not required, but makes it work for my circumstance.
Host 192.168.1.254 User username IdentityFile /home/username/.ssh/id_rsa.mikrotik PreferredAuthentications publickey PubkeyAcceptedKeyTypes ssh-rsa
The second issue I found while troubleshooting the first. I had set "always-allow-password-login" to allow me to use a password as an alternative to the ssh-key, as you would expect. What I found is if the user doesn't have a password set it will allow you to login with a blank password. So no password is really a blank password. The solution is to set a password. I understand why people might want a blank password, but as is it leads to an unexpected bad security outcome. This would be fixed by an explicit no password option.
The third issue was some minor packet loss. This was causing noticeable hiccups in interactive sessions across the network. Googling this I found this isn't unheard of. The first link's solution was an invalid configuration change. The second link had the working solution. This helped a little, but was more of a band-aid. In the end I realized it is probably counter productive once you actually fix it.
/ip firewall mangle add chain=prerouting out-interface=!local action=change-ttl new-ttl=set:64 passthrough=yes <-- invalid on my CRS326-24G-2S+RM with RouterOS in bridge mode with the latest firmware /ip firewall mangle add chain=postrouting out-interface=!ether1 action=change-ttl new-ttl=set:64 passthrough=yes <-- works
First link: https://forum.mikrotik.com/viewtopic.php?t=87430
Second link: https://forum.mikrotik.com/viewtopic.php?t=144140
I tried switching to SwOS from RouterOS. I tried enabling flow control. I tried different queue types on the ports. I tried all kinds of things. I almost gave up and returned the switch to Amazon at this point. I was testing it by first doing 100 pings, then 1000, and finally 10000. I thought it was the switch, because I would swap the cables back to the ES-48-LITE and see no packet loss. In the end I found if I swapped to DAC cables from my fiber cables and transceivers, it is almost perfect. I say almost perfect, because I do sometimes see one dropped packet in 10000 on the SFP+ 10gbit links. It is good enough for me.
My fourth issue is that upgrades of the firmware seem to be a little glitchy. Sometimes it acts like it did it, and then later I find it is still on the older version. It seems to work better going through System | RouterBOARD and not QuickSet. Final words:
The Mikrotik CRS326-24G-2S+RM is the cheaper and overall better solution, when compared to the ES-48-LITE. It isn't without it's annoying quirks.