RANCID, Mikrotik, and SSH

I’m a big fan of RANCID.  While RANCID is best known as a management tool for automatically backing up Cisco configs, it also supports much other handware, and is fairly easily extensible.  I’m responsible for several Mikrotik routers, and need to back up their configurations.  People have written scripts for Mikrotik support in RANCID… but they don’t work with SSH, only telnet.  And they don’t work if you run SSH on an unusual port.

After trials, errors, advice from Chris Falz, and more errors and trials, I found that the following RANCID configuration works.

add password YourRouter YourPasswordHere
add user YourRouter YourUsername+ct
add method YourRouter ssh
add sshcmd YourRouter {/usr/local/scripts/microtiklogin.sh}
add noenable YourRouter {1}

Adding +ct to your username turns off color.  Setting an SSH port in RANCID’s usual way didn’t work with the third-party mtlogin script, and the sshcmd variable doesn’t cope with spaces well, so I used an external SSH command script.  This script is just:

#!/bin/sh
exec ssh -p PortNumber $@

My Mikrotik configs are now automatically backed up over SSH.

If you’re looking for a good Perl project, fixing the actual underlying mtlogin and mtrancid SSH functions would be appreciated.

5 Replies to “RANCID, Mikrotik, and SSH”

  1. You can change the default outbound SSH port by editing /etc/ssh/ssh_config. This changed it for me when using rancid on Debian. If you always change the SSH port, then when you use ssh in general from that machine you don’t have to specify that port.

  2. This is interesting, looking at the cloginrc manpage, the “method:port” option is supposedly only for telnet.

    That said, this diff against mtlogin seems to work:


    --- /usr/local/libexec/rancid/mtlogin.dist 2014-08-07 04:08:03.000000000 -0400
    +++ /usr/local/libexec/rancid/mtlogin 2014-08-07 04:20:11.000000000 -0400
    @@ -314,11 +314,19 @@
    send_user "\nError: telnet failed: $reason\n"
    return 1
    }
    - } elseif ![string compare $prog "ssh"] {
    - if [ catch {spawn $sshcmd -c $cyphertype -x -l $user+ct $router} reason ] {
    - send_user "\nError: $sshcmd failed: $reason\n"
    - return 1
    - }
    + } elseif [string match "ssh*" $prog] {
    + regexp {ssh(:([^[:space:]]+))*} $prog command suffix port
    + if {"$port" == ""} {
    + if [ catch {spawn $sshcmd -c $cyphertype -x -l $user+ct $router} reason ] {
    + send_user "\nError: $sshcmd failed: $reason\n"
    + return 1
    + }
    + } else {
    + if [ catch {spawn $sshcmd -p $port -c $cyphertype -x -l $user+ct $router} reason ] {
    + send_user "\nError: $sshcmd failed: $reason\n"
    + return 1
    + }
    + }
    } elseif ![string compare $prog "rsh"] {
    send_error "\nError: unsupported method: rsh\n"
    if { $progs == 0 } {

    The resulting ssh call with a method of “ssh:2222” in .cloginrc:


    rancid 55371 0.0 0.2 38576 5176 2 Is+ 4:24AM 0:00.00 ssh -p 2222 -c 3des -x -l admin+ct tower2-mik.

    I also noticed the mtlogin adds the “+ct” to the username, so apparently that’s not required anymore.

Comments are closed.