Unsolved
This post is more than 5 years old
110 Posts
0
74215
January 9th, 2013 02:00
A steps for create ssh public key need
Hello,
I am working with Dell 3448 now and trying to add function for ssh public key access. Did anyone have clear steps how to generate?
My steps is
At client side (linux)
1. Generate rsa key
> ssh-keygen -t rsa
It should have pub key generated at /user/.ssh/id_rsa.pub like
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAynwu0QyOUdDn0Xn/RZlfSJ3SvPmRDVO7xqGNImTmGQQvwjcIpcqFNHfH6U0yBPjYeq81BFyyffSUCalM/Jl+9aAF7RJL3qJTkB8KnMG4FAv58C8VEvJdjpuKTvNUB09SvdajGVMSJT....== user@domain.com
2. Then creating a new user under Dell switch which need pubkey-chain login
console# configure
console(config)# crypto key pubkey-chain ssh
console(config)# crypto key pubkey-chain ssh
console(config-pubkey-chain)# user-key user
console(config-pubkey-key)# key-string <--- press enter and then input the public key in there.
AAAAB3NzaC1yc2EAAAABIwAAAQEAynwu0QyOUdDn0Xn/RZlfSJ3SvPmRDVO7xqGNImTmGQQvwjcIpcqFNHfH6U0yBPjYeq81BFyyffSUCalM/Jl+9aAF7RJL3qJTkB8KnMG4FAv58C8VEvJdjpuKTvNUB09SvdajGVMSJT....==
After completed input and press enter. It will have error output
02-Jan-2000 10:51:29 %SSHD-E-ERROR: SSH error: key_read: uudecode ssh-rsa failed Invalid key string
What problem of it? Please advise. Thanks!
machiasiaweb2
110 Posts
0
January 9th, 2013 06:00
That is the output after input rsa
console# configure
console(config)# crypto key pubkey-chain ssh
console(config-pubkey-chain)# user-key support2 rsa
console(config-pubkey-key)# key-string rsa <-- press enter and then copy and paste the pub key
AAAAB3NzaC1yc2EAAAABIwAAAQEAynwu0QyOUdDn0Xn/RZlfSJ3SvPmRDVO7xqGNImTmGQQvwjcIpcqFNHfH6U0yBPjYeq81BFyyffSUCalM/Jl+9aAF7RJL3qJTkB8KnMG4FAv58C8VEvJdjpuKTvNUB09SvdajGVMSJT....==
<--- press enter x 2
02-Jan-2000 15:17:57 %SSHD-E-ERROR: SSH error: buffer_get_string: Bad string length -1362722816
02-Jan-2000 15:17:57 %SSHD-E-ERROR: SSH error: key_from_blob: invalid key type.
02-Jan-2000 15:17:57 %SSHD-E-ERROR: SSH error: key_read: key_from_blob rsaAAAAB3NzaC1yc2EAAAABIwAAAQEAynwu0QyOUdDn0Xn/RZlfSJ3SvP... failed
Invalid key string
Did you know why? Thanks!
machiasiaweb2
110 Posts
0
January 9th, 2013 20:00
Finally I successful created. That should be by
console(config-pubkey-chain)# user-key user rsa
console(config-pubkey-key)# key-string <-- start place the pub key from here
Thanks for advise.
But new question comes out is why is still need to ask me username and password?
and
Is it either "ip ssh pubkey-auth" or "ip ssh server" is support?
Following is part of my config for reference
=======================
aaa authentication enable default line
aaa authentication login default local
line ssh
password 60b6be022be2346a7be1b63107626fdf encrypted
exit
username admin password 60b6be022be2346a7be163107626fdf level 15 encrypted
username user password 60b6be022be2346a7be1b63107626fdf level 15 encrypted
ip ssh server
ip ssh pubkey-auth
crypto key pubkey-chain ssh
user-key support2 rsa
key-string row AAAAB3NzaC1yc2EAAAABIwAAAQEAzwV4m/Lr/1D8
key-string row +YWbYspkDOCtWm778afFsmFp5C4ScPorD1+sPGBT
key-string row M8KBreOdRu8xiy1UNcmstTtXMafyCPTUZhd9CfCt
key-string row 9lfEgOf6DNJ0eKkJdaonWlV4+QWZaeTN
key-string row NCqbug4q4Oi6XhJJYi3/KGH+d1feGn5thxal8vMR
key-string row ZLktisvCqr+V5A9XhEWdp1o5ct73tToy0ExHHaWY
key-string row 5OCAwIYKMkadHBc6ugsDggUpDrYm/RGGuvZnAno7
key-string row 8SEunsSIbaBXpscwCmjF4PPYfo1Ej/T95fNo6qlF
key-string row 40JQigwSr4a2dpW96ho1i9saf0SBFDvnAXH1cVJD
key-string row 4DLVfGSfIxrVadp27w==
exit
exit
=============================
machiasiaweb2
110 Posts
0
January 13th, 2013 19:00
Hello,
After enabled ip ssh pubkey-auth
Login using the public key pre-imported
========================================
[user@testdellsw ~]$ ssh 192.168.168.1
User Name:user
Password:***********
========================================
If that user did not have correct private key on hand
=======================================
[noprivkey@testdellsw ~]# ssh 192.168.168.1
Permission denied (publickey).
=======================================
That why asking why still require input username and password even owned correct private key?
and
Is it either "ip ssh pubkey-auth" or "ip ssh server" is support?
Thanks!
machiasiaweb2
110 Posts
0
January 15th, 2013 01:00
Hello,
Just updated some config with
-------
aaa authentication enable default line
aaa authentication enable user none
aaa authentication login default local
aaa authentication login user none
------
This time the result is user just require input their username and no need to enter password . But it seems just by pass username called user to bypass input the password
Following is running ssh with debug for reference:
-------OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.168.1 [192.168.168.1] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type -1
debug1: identity file /home/user/.ssh/id_rsa type 1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1.RL
debug1: match: OpenSSH_3.4p1.RL pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.168.1' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/identity
debug1: Offering public key: /home/user/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
----------
machiasiaweb2
110 Posts
0
January 16th, 2013 19:00
Hello,
Please check the following output for any idea for this question.
******************************
console# show authentication methods
Login Authentication Method Lists
----------------------------------
Default : Local
user : None
Enable Authentication Method Lists
----------------------------------
Default : Line
user : None
Line Login Method List Enable Method List
------- ----------------- -------------------
Console Default Default
Telnet Default Default
SSH Default Default
http : Local
https : Local
dot1x :
************************************
Thanks!
machiasiaweb2
110 Posts
0
January 18th, 2013 02:00
What currently result is:
- The user did not with correct public/private key pair will not allow to login
- When user have correct public/private key pair. It can login to non privileged level
- If I remove "ip ssh pubkey-auth", Every body can login without username or password. And entry to no privileged level
- No need to input password after input >enable
What updated code now
-----------------
aaa authentication enable default line
aaa authentication enable user none
aaa authentication login default local
aaa authentication login user none
line ssh
login authentication user
enable authentication user
password 60b6be022be2346a7be1b63107626fdf encrypted
exit
username user password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted
--------------------
console# show authentication methods
Login Authentication Method Lists
----------------------------------
Default : Local
user : None
Enable Authentication Method Lists
----------------------------------
Default : Line
user : None
Line Login Method List Enable Method List
------- ----------------- -------------------
Console Default Default
Telnet Default Default
SSH user user
http : Local
https : Local
dot1x :
----------------------------
thanks for advise
machiasiaweb2
110 Posts
0
January 21st, 2013 19:00
Yes, it nearly to what I expected. Just see what is it possible can config like
- The user can directly entry to enable privileged level after login? Rather than I need to enter "enable" after access
- How can I keep other user can login by their username and password thru ssh?
-------------------- part of config -----------------------------------
aaa authentication enable default line
aaa authentication enable user none
aaa authentication login default local
aaa authentication login user none
line ssh
login authentication user
enable authentication user
password 60b6be022be2346a7be1b63107626fdf encrypted
exit
username user password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted
ip ssh server
ip ssh pubkey-auth
crypto key pubkey-chain ssh
user-key user rsa
key-string row AAAAB3NzaC1yc2EAAAABIwAAAQEAtYX/x5cDBPkD
key-string row q6s2U0jIh908qlg/NFqR4EJWbrIZSpfIExGc4dET
key-string row L7RCP0W2cLet9uG891cLiN6rOoGfRBLiai5SSqKE
key-string row z/aEJrnRe7AjHPVK60tQRPH7pQCVDoJW
key-string row Q6zyJzo7ensi9PgSu6rzIuSLB8V7DJ8D/tjQtomD
key-string row KTTP2LTo4io3qOnxD9dsNmc/bZqo5i8B6YGbeIM8
key-string row AVtdvLBFHwuqryarqx3L62n8alV6vpnoUJYFCXwI
key-string row yPEcUd9JoYLljdT80fNjh44ePNJeO6hUaJ7Hr8Fn
key-string row jhchCaGFhotlWbYCLBVJh5uKUeBmXw7Ju9GwezGX
key-string row CwbNpwgNDFtgnvfwXQ==
exit
----------------------------------------------------------------------------------
Thanks!
Mike_B_Nichols
1 Message
0
October 16th, 2019 14:00
Once you have the RSA key associated with the user - you turn on the key checking by issuing:
conf
ip ssh pub-key auth
you shouldn't be prompted for a password after typing in the user name.
Of course you need the private key sent via whatever ssh client you are using.. that's a whole other wormhole.