ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Public Key for SSH

We use SSH public keys for logging into switches, linux servers etc. These are not stored in certificates, just created by the linux command 'ssh-keygen'.

I would like to try and use my same public key to SSH into our new Aruba controllers (running 5.0.1.0). It looks like I need to convert my public key into a certificate and then add that to the controller (the user guide says for SSH the public key is extracted from certificate, so no CA checks are made).

I have tried to convert this using the command:
openssl req -new -days 360 -key -pubkey -x509 -out

I have sucessfully uploaded this certificate to the controller, however when I go to create user, I get an error:

#mgmt-user ssh-pubkey client-cert "jeff_certificate" "jeff" "root"
Error creating SSH public key user

If I then try to delete the certificate:
#no crypto-local pki publicCert jeff_certificate
Failed to delete instance. Cert is either not present or referenced
by an application.

#show crypto-local pki publicCert

Certificates
------------
Name Original Filename Reference Count
-------------- ----------------- ---------------
jeff_certificate jeff.cer 1

I don't know what the reference is, the user hasn't been created:
show mgmt-user

Management User Table
---------------------
USER PASSWD ROLE STATUS
---- ------ ---- ------
admin ***** root ACTIVE


Any idea what I need to do to put my existing key into a certificate which is accepted, and how to delete the uploaded certificate which doesn't work?

Cheers,
-Jeff
Guru Elite
Posts: 19,963
Registered: ‎03-29-2007

Knowledge Base

Login to the support site and search in the knowledgebase for "public key". In the results, you should find an article entitled "How do I SSH to the Aruba controller using certificates from Linux?".

That might help.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Public Key for SSH

I've followed the guide - generated a CSR and had it signed (by a temporary CA created under Linux).

I've been able to import this, and create a user to use the certificate - however I am unable to log in with this user because I don't have the private key that should have been created with the CSR.

What I want to do is be able to use my existing SSH private key to log into controller, and not have to use a new one.
Guru Elite
Posts: 19,963
Registered: ‎03-29-2007

Open a case

Jfern,

Please open a case. I contacted the author of the KB article and he contends that there are a number of reasons why it would not work in your setup, and those will need to be reviewed in detail.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: Public Key for SSH

We tried to do this a few times even with tech support and it doesn't actually work like it's supposed to. It will not give you a privileged login. It will only get you into non-privileged account. What we've done to get around this is to import the certificate, then use "expect" to login as a privileged user. I generated a .pem cert on the linux box and imported into each controller, it works for me, but unfortunately privileged use is not supported with keys or certs.
Guru Elite
Posts: 19,963
Registered: ‎03-29-2007

Not Priviledged

Gwilliams,

Did they open a bug regarding this?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: Public Key for SSH

I believe they did. But it's not a big deal now since I can get around it another way.
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Public Key for SSH

I've resolved the original problem I was having, using a RSA private key generate a certificate request using 'openssl req', then sign this and import the .pem into the controller as a public cert. A user can be created against this key and everything works. For some reason, my usual RSA key wasn't accepted, however a new one generated with 'ssh-keygen' was fine.

Another issue I'm having: I want to provide a proper certificate for the management web page of the controller, however the controller won't accept the details I want to provide via Management > Certificates > CSR.

I want to put a comma in the CN, and I don't want to specify an e-mail address (these are requisits for being able to get the certificate signed by the department who deal with them). Is there any way I can either over-ride the requirements in the CSR page, or can I provide a new private key and certificate for the controller which I can generate myself with all the required information?
Search Airheads
Showing results for 
Search instead for 
Did you mean: