Unsolved
This post is more than 5 years old
10 Posts
0
146619
6224 - how to setup public-key ssh authentication
Hi,
I have 6224 with password based ssh working fine. The next step is to make it public-key based for some users.
I've configured the public key in the 6224. But still, when ssh-ing the 6224 with the private key, it asks for password. (if I configure a user without a password, the 6224 still ask for password. furthermore that user can login even without the private ssh key).
[gaash@rd01 ~/devices/rt01.it]$ssh -i ../keys/admin-rt admin-ssh@rt01.it
Authenticated with partial success.
admin-ssh@rt01.it's password:
Did someone make it work?
Thanks,
Gaash
rt01.it#show crypto key pubkey-chain ssh
Username Fingerprint
-------------- ---------------------------------------------------------------
admin-ssh 8d:c0:b2:f1:ff:a6:c3:7f:63:7c:22:46:ac:c6:3c:20
rt01.it#show running-config
!Current Configuration:
!System Description "PowerConnect 6224, 3.3.3.3, VxWorks 6.5"
!System Software Version 3.3.3.3
!Cut-through mode is configured as disabled
!
configure
...
no passwords min-length
username "admin" password b09514ed87ee469a6af2e49992bb9e16 level 15 encrypted
username "admin-ssh" password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted
crypto key pubkey-chain ssh
user-key "admin-ssh" rsa
key-string row AAAAB3NzaC1yc2EAAAABIwAAAQEAqHb+sqZjuq02Fc5J61wojZH/zF3IpoaGXnLd09FdvyFPQMO66mITuZmKaKWCI3KVhHmoSWK6w2W6Z+0VYlP7trOO0Ig5rKKO1PA3M/LD8SwnbNi5avJpgs+vn0OyEptNiZmA1T1N3OMMWEyt0iHwffMdp9SFDtCLCxZORHFOyTE4cayotQblgDrsLC34XwtJdGRVNiSH/deBQCt9rSErG/WOJKVkpuavbCD9i2ULyQExqTpCv6wQGgNmOo2hUM6yHNL1u8gKCHtmGdKIA9rVcQ4AoOOq93FRPmsHYAyVhilK9RSaXokuhOFQh5cr9YyncAqWHVZMfO+prEQNu+OWjw==
exit
exit
line ssh
exec-timeout 60
exit
ip ssh server
ip ssh pubkey-auth
...
---------------
[gaash@rd01 ~/devices/rt01.it]$ssh -i ../keys/admin-rt -v admin-ssh@rt01.it
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /users/eng/gaash/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to rt01.it [10.9.12.1] port 22.
debug1: Connection established.
debug1: identity file ../keys/admin-rt type 1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'rt01.it' is known and matches the RSA host key.
debug1: Found key in /users/eng/gaash/.ssh/known_hosts:119
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: ../keys/admin-rt
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
Authenticated with partial success.
debug1: Authentications that can continue: password
debug1: Next authentication method: password
admin-ssh@rt01.it's password:
DELL-Willy M
802 Posts
0
July 20th, 2012 15:00
On 6224 switches, you must generate both RSA and DSA keys in order to enable SSH on the switch.
console# configure
console(config)#crypto key generate rsa RSA
key generation started, this may take a few minutes..... RSA key generation complete.
console# configure
console(config)#crypto
key generate dsa DSA key generation started, this may take a few minutes........................ DSA key generation complete.
If prompted that to overwrite any existing keys select Y for yes.
Can you provide the output for this command?
console#show ip ssh
From what I’m reading a valid ip address, username and password must be assigned in order to login via SSH after the keys are created.
I would also recommend that you have the latest firmware installed.
v3.3.3.3
http://www.dell.com/support/drivers/us/en/555/DriverDetails/DriverFileFormats?DriverId=53M6W&FileId=2923322702&productCode=powerconnect-6224&urlProductCode=False
Hope this helps,
Keep us updated if you can.
Gaash
10 Posts
0
July 20th, 2012 21:00
Hi,
I'm running the latest version 3.3.3.3 as indicated by the configuration's 2nd line.
Both RSA & DSA keys have been generated. See below. To remove any doubt, ssh password authentication works. Problem is with public-key authentication.
A user was defined. Why a user password is required if public-key authentication is used?
In short, problem is not solved.
Regards,
Gaash
rt01.it#show ip ssh
SSH Server enabled. Port: 22
Protocol Levels: Versions 1 and 2.
RSA key was generated.
DSA key was generated.
SSH Public Key Authentication is enabled.
Active Incoming Sessions.
Ip Address User Name Idle Time Session Time
--------------- --------------- ------------ ------------
10.9.8.11 admin 00:00:00 00:00:14
DELL-Willy M
802 Posts
0
July 24th, 2012 16:00
After talking this thru with a couple analysts we have come up with some useful information. This post from our forum discusses the same topic with a verified answer.
en.community.dell.com/.../19935126.aspx
One should be able to view the authentication methods with the “show authentication methods” command. It looks like that by default SSH is set to the networkList Login Method List which sets the authentication method to local. If we change the Login method List to defaultList that should set the method to none as described in the posting above. We can do that with the commands below.
console>enable
console#config
console(config)#line ssh
console(config-ssh)#login authentication defaultList
console(config-ssh)#end
console#show authentication methods
console#copy running-config startup-config
Thanks for your patience
Gaash
10 Posts
0
July 25th, 2012 14:00
Setting ssh authentication to defaultList prevents ssh login, both with password and public key.
rt01.it.qwilt.com#configure
rt01.it.qwilt.com(config)#line ssh
rt01.it.qwilt.com(config-ssh)#login authentication defaultList
rt01.it.qwilt.com(config-ssh)#end
rt01.it.qwilt.com#show authentication methods
Login Authentication Method Lists
---------------------------------
defaultList : none
networkList : local
Enable Authentication Method Lists
----------------------------------
enableList : none
Line Login Method List Enable Method List
------- ----------------- ------------------
Console defaultList enableList
Telnet networkList enableList
SSH defaultList enableList
HTTPS :local
HTTP :local
DOT1X :
rt01.it.qwilt.com#show version
Image Descriptions
image1 : default image
image2 :
Images currently available on Flash
--------------------------------------------------------------------
unit image1 image2 current-active next-active
--------------------------------------------------------------------
1 3.3.1.10 3.3.3.3 image2 image2
[gaash@m01 ~/devices/rt01.it]$ssh admin@rt01.it
buffer_get_ret: trying to get more bytes 4 than in buffer 0
buffer_get_int: buffer error
[gaash@m01 ~/devices/rt01.it]$ssh -i ../keys/admin-rt admin@rt01.it
buffer_get_ret: trying to get more bytes 4 than in buffer 0
buffer_get_int: buffer error
[gaash@m01 ~/devices/rt01.it]$
[gaash@m01 ~/devices/rt01.it]$ssh -v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
DELL-Willy M
802 Posts
1
July 25th, 2012 16:00
Have you run this command from Global Config?
Console(config)# ipip ssh pubkey-auth - Enables public key authentication for incoming SSH sessions.
Gaash
10 Posts
0
July 25th, 2012 21:00
We are making some progress but we are not there yet.
"ip ssh pubkey-auth" was configured
At my previous post I used to wrong login name for publickey. Here is the updated statues:
Without "login authentication defaultList":
"admin" user - password based - may login (and may enable privilege mode without enable password)
"admin-ssh" user - public-key - can't login. (thats OK)
With "login authentication defaultList":
"admin" user - password based - cannot login - ssh client buffer error as before - issue #1
"admin-ssh" user - public-key - logins successfully but cannot enable privilege mode - issue #2
Below is the relevant configuration fragment and issues output
Thanks
Gaash
no passwords min-length
username "admin" password xxxx level 15 encrypted
crypto key pubkey-chain ssh
user-key "admin-ssh" rsa
key-string row xxxxx
exit
exit
line ssh
exec-timeout 60
login authentication defaultList
exit
ip ssh server
ip ssh pubkey-auth
!
issue #1:
------------
[gaash@m01 ~/devices/rt01.it]$ssh admin@rt01.it
buffer_get_ret: trying to get more bytes 4 than in buffer 0
buffer_get_int: buffer error
issue #2
------------
[gaash@m01 ~/devices/rt01.it]$ssh -i ../keys/admin-rt admin-ssh@rt01.it
rt01.it.qwilt.com>en
Access Denied! You are not authorized to enter into Privilege mode!
rt01.it.qwilt.com>logoutConnection to rt01.it closed.
Gaash
10 Posts
0
August 4th, 2012 03:00
Would someone from Dell take a look?
DELL-Willy M
802 Posts
1
August 6th, 2012 12:00
Gaash,
Could you email a show run of the config on your switch along with a show authentication methods?
William_Marsh@Dell.com
What we need to do is tell it to authenticate with whatever method shows up under show authentication methods and add the appropriate aaa command.