Highlighted
2 Bronze

iDRAC8 2.70.70.70 SSH keyboard interactive authentication

Is there a way to disable the keyboard interactive authentication requirement with SSH on iDRAC8 2.70.70.70? We have some asset scanning software that can no longer scan iDRAC8 at that firmware level.

0 Kudos
18 Replies
Highlighted
Moderator
Moderator

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

I am not aware of a method to disable that security feature. I suggest checking to see if something like SNMP can be used in place of SSH.

Daniel Mysinger
Dell EMC, Enterprise Engineer

0 Kudos
Highlighted
1 Copper

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

Having the same problem here, since updating a few iDracs to 2.70.70.70 our scripts can not longer log into our iDracs because they respond "Publickey or keyboard-interactive" instead of "Publickey or Password" when connecting via Pythons Paramiko.

0 Kudos
Highlighted
1 Copper

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

You can try the following patch in paramiko client.py:

         if password is not None:
             try:
-                self._transport.auth_password(username, password)
-                return
+                self._log(DEBUG, "trying password")
+                allowed_types = self._transport.auth_password(username, password)
+                if not allowed_types:
+                    return
             except SSHException as e:
                 saved_exception = e
-        elif two_factor:
+        if 'keyboard-interactive' in allowed_types:
             try:
+                self._log(DEBUG, "trying interactive")
                 self._transport.auth_interactive_dumb(username)
                 return
Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

hi pavel I dm'ed you I can't get that code snippet to work on paramiko can you help please?

I also posted to stack overflow to see if someone can get me past that stupid keyboard authentication 

https://stackoverflow.com/questions/63040634/connecting-ssh-client-with-paramiko-using-python-to-del...

thanks

0 Kudos
Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

nvm I figured it out didn't know there was a method to send a fake entry to the connection no need to edit the client.py file

here is my method to connect if anyone needs it 

def connectSSH(my_file, user_name, password):
    ip = str(my_file.split(',')[0]).strip()
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    try:
        ssh.connect(ip, 22, user_name, password)
        (ssh.get_transport()).auth_interactive_dumb(user_name)
        return ssh
    except:
        with open(f'{ip}.txt', 'a') as f:
            f.writelines(ip + '\t COULDN\'T CONNECT\n')

 

Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

noticed that if its the old version and didn't need the further auth it would fail so i put in a check

def connectSSH(my_file, user_name, password):
    ip = str(my_file.split(',')[0]).strip()
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    try:
        ssh.connect(ip, 22, user_name, password)
        key_auth = str(ssh.get_transport())
        if 'awaiting auth' in key_auth:
            (ssh.get_transport()).auth_interactive_dumb(user_name)
return ssh
    except:
        with open(f'{ip}.txt', 'a') as f:
        f.writelines(ip + '\t COULDN\'T CONNECT\n')

0 Kudos
Highlighted

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

Hi @cyrylthewolf,


I was in touch with our senior engineers. I explained how lack of an option to disable this security feature is impacting your work. I specifically explained that your request is to simply make this optional.


The response I received is that it is impossible to make this feature optional. It is dependent on other features, which had to be implemented in the firmware (FCP and 2FA) and therefore it is technically not possible to make the Keyboard Interactive Authentication on-and-offable. It has been introduced as a static compile-time change. We won’t be able to accommodate your request. 


All I can suggest at this time is to try the workaround proposed by other users earlier in this thread.


I trust you’ll understand that I can’t do anything else at this time, but if you have any further questions, I’ll try my best to answer them.


Best regards.

logo
 Diego López
 
 Social Media and Communities Professional
 Comunidad Dell | @DellAyudaPro | Eventos en línea
0 Kudos
Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

While I refuse to accept the idea that it's somehow not possible... (Not even for a moment.)

I appreciate that YOU made the effort. This is where the end of reasonable expectation occurs and I have no choice but to accept that YOU have done all that you're able to. It is now a matter dead in the water and I shall have to rely on the vendor to assist.

I have been in touch with them, too. They are also attempting to create a workaround. ("Stay tuned..." - as they say.)

Thank you for your effort and time. No hard feelings.

Take care, @DiegoLopez 

0 Kudos
Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

Same. I'm using the same asset scanning software as the OP. It's broken now as of the most recent iDRAC updates. (Also, seemingly, 2.65.65.65 for my R620's iDRAC7. Was working just fine before.)

Please either make available the option to disable the keyboard-interactive auth or retro the feature all together. 

0 Kudos
Highlighted

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

Hey there,

 

this is a security-related feature and can't be deactivated. Please refer to the iDRAC 8 User’s Guide:

https://dell.to/2A4WbVX

 

Cheers
Stefan






DellEMCStefan Richter
Community Manager
Brand certified, SMaC Professional
0 Kudos
Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

So this feature - which was added by Dell in a firmware upgrade - has broken things for us - the user -...and what I'm hearing is, "We're not going to fix it - nor are we going to give the user the option to disable this feature on the hardware that they own." followed by a random instruction to read the iDRAC8 manual as though that will somehow help.

Unhelpful. 

Maybe find a way to give us the ability to control our hardware however we choose instead of making these choices for us? Consider adding the ability to disable it in a new release. Seems only proper that if we're spending money on this hardware that we are granted the ability to do with it as we see fit.

Guess I'll just roll back the firmware then.

Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

I'm trying out the 2.75.75.75 firmware for iDRAC 8. This problem (yes "PROBLEM") still persists.

Where is the option to disable this "Keyboard interactive authentication"?

As a customer, I have zero concern for Dell's opinion on whether or not the customer's hand should be held. I want control of my hardware.

This arbitrary, intrusive decision on Dell's part to take it upon themselves to decide these things for us is an inconvenience and it needs to be resolved.

So where is the solution? It is unhelpful to link us to manuals that will obviously yield nothing of relevance.

Please help us figure this out.

0 Kudos
Highlighted

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

Hello @cyrylthewolf,


I understand your point and obviously I can see this is an inconvenience for you and other customers. I can also understand this change will have an impact on customers who are using this protocol for certain functionalities. I am sorry for this.


However, you need to understand that this is, as my colleague @DELL-Stefan R mentioned, a security-related feature. Maybe there is no reason for you to put this functionality in place in terms of security. Maybe you don't care about this and it is perfectly fine in your environment. But from the security perspective is not a matter of "opinion" as you said. It is a matter of security.


The decision behind setting up the Keyboard interactive authentication requirement was made to enhance the security of the SSH connection protocol after several vulnerabilities and exploits were discovered. It's not an arbitrary decision. It's a decision based on the industry security standards and best practice (RFC 4256).


Regards.

logo
 Diego López
 
 Social Media and Communities Professional
 Comunidad Dell | @DellAyudaPro | Eventos en línea
0 Kudos
Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

I reject your reply for one, simple reason. You are not addressing the complete scope of my comment.

You may recall that, in my comment, I mentioned the ability to disable the functionality.

The decision to not include that ability - to give us the option to disable this function - IS arbitrary. The decision to FORCE the use of this security feature on us - "like it or not" - is arbitrary.

We don't need you to explain security and how it evolves. (Especially because, nowhere that I can see in the RFC doc do I see that this is REQUIRED security.)

This is a SIMPLE solution. Give us the option to DISABLE this function. Plain and simple. Enable it by default if you wish. But give us the ability to DISABLE IT.

This is not a complex concept. Why is it being treated as such?

0 Kudos
Highlighted

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

Hello again @cyrylthewolf,


The security vulnerability I was talking about is CVE-2015-5600. You can look for more information about it on the Internet.


The iDRAC SSHServer including “keyboard interactive authentication” to provide enhanced security started with iDRAC Firmware 2.70.70.70 and iDRAC Firmware 4.00.00.00 (depends on Server model).


As far as I know, there are no plans to remove this functionality or allow it to be disabled. You need to rollback to a prior version of 2.70.70.70 if you want this to be gone.


Finally, if you have setup automation which leverages ssh sessions, you need to ensure that library supports "interactive authentication". 


Sorry I cannot offer you a better solution.


Regards.

logo
 Diego López
 
 Social Media and Communities Professional
 Comunidad Dell | @DellAyudaPro | Eventos en línea
0 Kudos
Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

Rolling back to that version would serve no purpose because that is the version wherein Dell arbitrarily decided to force this upon us. (It's right there - in the thread title.)

Did you even reach out to any actual engineers to discuss including the option to disable this? Security should be an OPTION. Not an OEM-forced requirement. Have you reached out and spoken to anyone at all about it beyond the confines of this forum? Or are you just stonewalling us here in this thread?

You could at least provided some kind of insight as to "Why." Some effort would be appreciated. (I don't consider posting security notices to be helpful in the least bit here as doing so does not address the request.)

I don't expect much from you at this point, obviously. None of you have been helpful in the least bit in this thread.

0 Kudos
Highlighted

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

Hello again @cyrylthewolf,


Just a quick note: I said: "You need to rollback to a prior version of 2.70.70.70 if you want this to be gone." A "prior version of" means a lower version, like 2.63.60.61, or 2.62, or 2.61... Obviously, if you roll back to the 2.70 will not make it because the change was introduced in this version. (It's right there - in my message.)


This information has been confirmed in our internal Knowledge Base, which is created by our senior engineers. Despite that we'll reach out to them to double check if there are any possibilities to disable the mentioned option. It may take some time before we get back to you. But as soon as I have an answer I will let you know.


Regards.

logo
 Diego López
 
 Social Media and Communities Professional
 Comunidad Dell | @DellAyudaPro | Eventos en línea
0 Kudos
Highlighted
2 Bronze

Re: iDRAC8 2.70.70.70 SSH keyboard interactive authentication

So now you want to play a petty game of grammar here? OK.

You said: "You need to rollback to a prior version of 2.70.70.70 if you want this to be gone."

Tell me... Just how many revisions of 2.70.70.70 are there? I've never known Dell to use build numbers in their versioning... (e.g. 2.70.70.70.xxxx)

That sentence literally said to use "a prior version of" the thing we are discussing which is a specific version of firmware. (v2.70.70.70.) If you meant to instruct me to use an older version... What you should have said was, "You need to roll back to a version prior to 2.70.70.70."

Do you now understand where YOU failed to articulate your speech in such a way that conveys the actual statement you were trying to make?

And had you just at least offered to pass this information (read: request)  along to actual engineers or get some proper feedback in the first place, we wouldn't be here where we now find ourselves. (Playing a petty grammar game.)

Additionally... Had you just said in your last message that you would speak to engineers, I would have actually just simply thanked you.

But... You decided that snark was a better route. So be it. Let us know what they say. I WILL be waiting.

0 Kudos