6224 - how to setup public-key ssh authentication

Question

Hi, I have 6224 with password based ssh working fine. The next step is to make it public-key based for some users. I've configured the public key in the 6224. But still, when ssh-ing the 6224 with the private key, it asks for password. (if I configure a user without a password, the 6224 still ask for password. furthermore that user can login even without the private ssh key). [gaash@rd01 ~/devices/rt01.it]$ssh -i ../keys/admin-rt admin-ssh@rt01.itAuthenticated with partial success.admin-ssh@rt01.it's password: Did someone make it work? Thanks, Gaash rt01.it#show crypto key pubkey-chain ssh Username Fingerprint -------------- --------------------------------------------------------------- admin-ssh 8d:c0:b2:f1:ff:a6:c3:7f:63:7c:22:46:ac:c6:3c:20 rt01.it#show running-config !Current Configuration:!System Description 'PowerConnect 6224, 3.3.3.3, VxWorks 6.5'!System Software Version 3.3.3.3!Cut-through mode is configured as disabled!configure... no passwords min-lengthusername 'admin' password b09514ed87ee469a6af2e49992bb9e16 level 15 encryptedusername 'admin-ssh' password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted crypto key pubkey-chain sshuser-key 'admin-ssh' rsakey-string row AAAAB3NzaC1yc2EAAAABIwAAAQEAqHb+sqZjuq02Fc5J61wojZH/zF3IpoaGXnLd09FdvyFPQMO66mITuZmKaKWCI3KVhHmoSWK6w2W6Z+0VYlP7trOO0Ig5rKKO1PA3M/LD8SwnbNi5avJpgs+vn0OyEptNiZmA1T1N3OMMWEyt0iHwffMdp9SFDtCLCxZORHFOyTE4cayotQblgDrsLC34XwtJdGRVNiSH/deBQCt9rSErG/WOJKVkpuavbCD9i2ULyQExqTpCv6wQGgNmOo2hUM6yHNL1u8gKCHtmGdKIA9rVcQ4AoOOq93FRPmsHYAyVhilK9RSaXokuhOFQh5cr9YyncAqWHVZMfO+prEQNu+OWjw==exitexitline sshexec-timeout 60exitip ssh serverip ssh pubkey-auth... --------------- [gaash@rd01 ~/devices/rt01.it]$ssh -i ../keys/admin-rt -v admin-ssh@rt01.itOpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010debug1: Reading configuration data /users/eng/gaash/.ssh/configdebug1: Reading configuration data /etc/ssh/ssh_configdebug1: Applying options for *debug1: Connecting to rt01.it [10.9.12.1] port 22.debug1: Connection established.debug1: identity file ../keys/admin-rt type 1debug1: Remote protocol version 1.99, remote software version OpenSSH_4.3debug1: match: OpenSSH_4.3 pat OpenSSH_4*debug1: Enabling compatibility mode for protocol 2.0debug1: Local version string SSH-2.0-OpenSSH_5.3debug1: SSH2_MSG_KEXINIT sentdebug1: SSH2_MSG_KEXINIT receiveddebug1: kex: server->client aes128-ctr hmac-md5 nonedebug1: kex: client->server aes128-ctr hmac-md5 nonedebug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sentdebug1: expecting SSH2_MSG_KEX_DH_GEX_GROUPdebug1: SSH2_MSG_KEX_DH_GEX_INIT sentdebug1: expecting SSH2_MSG_KEX_DH_GEX_REPLYdebug1: Host 'rt01.it' is known and matches the RSA host key.debug1: Found key in /users/eng/gaash/.ssh/known_hosts:119debug1: ssh_rsa_verify: signature correctdebug1: SSH2_MSG_NEWKEYS sentdebug1: expecting SSH2_MSG_NEWKEYSdebug1: SSH2_MSG_NEWKEYS receiveddebug1: SSH2_MSG_SERVICE_REQUEST sentdebug1: SSH2_MSG_SERVICE_ACCEPT receiveddebug1: Authentications that can continue: publickey,password,keyboard-interactivedebug1: Next authentication method: publickeydebug1: Offering public key: ../keys/admin-rtdebug1: Server accepts key: pkalg ssh-rsa blen 277debug1: read PEM private key done: type RSAAuthenticated with partial success.debug1: Authentications that can continue: passworddebug1: Next authentication method: passwordadmin-ssh@rt01.it's password:

DELL-Willy M · Answer

On 6224 switches, you must generate both RSA and DSA keys in order to enable SSH on the switch.

console# configure

console(config)#crypto key generate rsa RSA

key generation started, this may take a few minutes..... RSA key generation complete.

console# configure

console(config)#crypto

key generate dsa DSA key generation started, this may take a few minutes........................ DSA key generation complete.

If prompted that to overwrite any existing keys select Y for yes.

Can you provide the output for this command?

console#show ip ssh

From what I’m reading a valid ip address, username and password must be assigned in order to login via SSH after the keys are created.

I would also recommend that you have the latest firmware installed.

v3.3.3.3

http://www.dell.com/support/drivers/us/en/555/DriverDetails/DriverFileFormats?DriverId=53M6W&FileId=2923322702&productCode=powerconnect-6224&urlProductCode=False

Hope this helps,

Keep us updated if you can.

Gaash · Answer

Hi,

I'm running the latest version 3.3.3.3 as indicated by the configuration's 2nd line.

Both RSA & DSA keys have been generated. See below. To remove any doubt, ssh password authentication works. Problem is with public-key authentication.

A user was defined. Why a user password is required if public-key authentication is used?

In short, problem is not solved.

Regards,

Gaash

rt01.it#show ip ssh

SSH Server enabled. Port: 22

Protocol Levels: Versions 1 and 2.

RSA key was generated.

DSA key was generated.

SSH Public Key Authentication is enabled.

Active Incoming Sessions.

Ip Address User Name Idle Time Session Time

--------------- --------------- ------------ ------------

10.9.8.11 admin 00:00:00 00:00:14

DELL-Willy M · Answer

After talking this thru with a couple analysts we have come up with some useful information. This post from our forum discusses the same topic with a verified answer.

en.community.dell.com/.../19935126.aspx

One should be able to view the authentication methods with the “show authentication methods” command. It looks like that by default SSH is set to the networkList Login Method List which sets the authentication method to local. If we change the Login method List to defaultList that should set the method to none as described in the posting above. We can do that with the commands below.

console>enable

console#config

console(config)#line ssh

console(config-ssh)#login authentication defaultList

console(config-ssh)#end

console#show authentication methods

console#copy running-config startup-config

Thanks for your patience

Gaash · Answer

Setting ssh authentication to defaultList prevents ssh login, both with password and public key.

rt01.it.qwilt.com#configure

rt01.it.qwilt.com(config)#line ssh

rt01.it.qwilt.com(config-ssh)#login authentication defaultList

rt01.it.qwilt.com(config-ssh)#end

rt01.it.qwilt.com#show authentication methods

Login Authentication Method Lists

---------------------------------

defaultList : none

networkList : local

Enable Authentication Method Lists

----------------------------------

enableList : none

Line Login Method List Enable Method List

------- ----------------- ------------------

Console defaultList enableList

Telnet networkList enableList

SSH defaultList enableList

HTTPS :local

HTTP :local

DOT1X :

rt01.it.qwilt.com#show version

Image Descriptions

image1 : default image

image2 :

Images currently available on Flash

--------------------------------------------------------------------

unit image1 image2 current-active next-active

--------------------------------------------------------------------

1 3.3.1.10 3.3.3.3 image2 image2

[gaash@m01 ~/devices/rt01.it]$ssh admin@rt01.it

buffer_get_ret: trying to get more bytes 4 than in buffer 0

buffer_get_int: buffer error

[gaash@m01 ~/devices/rt01.it]$ssh -i ../keys/admin-rt admin@rt01.it

buffer_get_ret: trying to get more bytes 4 than in buffer 0

buffer_get_int: buffer error

[gaash@m01 ~/devices/rt01.it]$

[gaash@m01 ~/devices/rt01.it]$ssh -v

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

DELL-Willy M · Answer

Have you run this command from Global Config? Console(config)# ipip ssh pubkey-auth  -  Enables public key authentication for incoming SSH sessions.

Gaash · Answer

We are making some progress but we are not there yet.

"ip ssh pubkey-auth" was configured

At my previous post I used to wrong login name for publickey. Here is the updated statues:

Without "login authentication defaultList":

"admin" user - password based - may login (and may enable privilege mode without enable password)

"admin-ssh" user - public-key - can't login. (thats OK)

With "login authentication defaultList":

"admin" user - password based - cannot login - ssh client buffer error as before - issue #1

"admin-ssh" user - public-key - logins successfully but cannot enable privilege mode - issue #2

Below is the relevant configuration fragment and issues output

Thanks

Gaash

no passwords min-length

username "admin" password xxxx level 15 encrypted

crypto key pubkey-chain ssh

user-key "admin-ssh" rsa

key-string row xxxxx

exit

line ssh

exec-timeout 60

login authentication defaultList

exit

ip ssh server

ip ssh pubkey-auth

!

issue #1:

------------

[gaash@m01 ~/devices/rt01.it]$ssh admin@rt01.it

buffer_get_ret: trying to get more bytes 4 than in buffer 0

buffer_get_int: buffer error

issue #2

------------

[gaash@m01 ~/devices/rt01.it]$ssh -i ../keys/admin-rt admin-ssh@rt01.it

rt01.it.qwilt.com>en

Access Denied! You are not authorized to enter into Privilege mode!

rt01.it.qwilt.com>logoutConnection to rt01.it closed.

Gaash · Answer

Would someone from Dell take a look?

DELL-Willy M · Answer

Gaash,

Could you email a show run of the config on your switch along with a show authentication methods?

William_Marsh@Dell.com

What we need to do is tell it to authenticate with whatever method shows up under show authentication methods and add the appropriate aaa command.

Networking General

Was this post helpful?