Wireless Access

 

Has anyone managed to get public key authentication working with Aruba Controller and OpenSSH?  I saw the KB article and after mouthing "WTF? Seriously?" I managed to get OpenSSH's ssh-keygen to convert a RSA public key to a PEM.  Sadly the controller is rejecting it as if it's not really a PEM or whatever internal reason it doesn't want to cough up.

 

I'm not interested in generating a CA and shouldn't have to.  In my case it would weaken security as I myself have avoided running a proper CA setup.   This is SSH not SSL.  I guess I'm too busy being shocked that this thing doesn't support OpenSSH pub keys out of the box and it looks like PuTTY mainline lacks X509 support.  Also I guess I can't have multiple SSH keys for user as in one for each client machine?

 

Has anyone figured out interop with OpenSSH yet?  

 

Thanks.

 

Here is what worked for me in the past:

1. Generate a client cert using openssl.

2. Upload the client cert (without private key) to the controller as Certificate type = Public Cert
           Management -> Certificates -> Upload

3. Enable SSH authentication using client public key on the controller
           Management -> General

4. Add a management user (to use SSH public key)
           Management -> Administration -> Add User

 

On a linux machine:

5. Copy the client certificate private key to the user’s directory ~/.ssh/  folder
6. Change its owner to the user and its access permissions to 600.
7. Optionally rename it to id_rsa
8. if not renamed, run the following command:
        “ssh -i ~/.ssh/<private key> <username>@<controller IP address>”       // username should match user created on controller
9. You may get prompted for the private key passcode if set, and once entered you will get the controller prompt.

 

 

Let me know how it goes.

 

 

Thanks but that is pretty much the same as what is in the KB article and I frankly don't understand why any of it is necessary.

 

Is there no way to use the defacto standard OpenSSH public keys or even a PuTTY public key?  I have existing keys that I want to use and I want to be able to use those keys with a wide range of devices.  The Aruba controllers stand alone as the only thing I have access to that supports pubkey auth that doesn't directly handle these keys or offer a clear conversion path or tool (ala PuTTYgen).

 

I'm not even sure what certificate format it's expecting as I've used the OpenSSH ssh-keygen tool to generate a PEM but the controllers reject the resulting file with a non-helpful error.

 

Sorry if I come across as cranky but I'm honestly stupified at the process layed out in the KB article for something as simple as handling an SSH key...

 

Thanks for your help so far. 

 

I recommend you not try to use this feature.  The reason it is there is for smart card users (the US military CAC to be specific), and the feature is optimized for someone who already has a certificate and needs to get it to work with SSH.  Trying to go the other direction is just asking for pain, as you've seen.

 

I'll enter an enhancement request for allowing entry of SSH pubkeys directly.  That should not be too complex to support.  I'm actually a little surprised that in 9 years and over 2000 enhancement requests filed, nobody has asked for this before.

 

Ah OK.  That makes sense then.  Thanks for the definitive answer.

 

And thank you for putting in the feature request.

 

 

Nice one on the feature request.I use shh all the time with Linux ssh session authentication and I am testing this same feature on my lab and am experiencing similar headaches. I would welcome this feature also. Spot on blocke :-)

Ok, I bashed on this for an hour and finally managed to get this working.  Not sure if its still relevant to anyone, but this is how you convert your openssh certs to a format that Aruba likes.

 

First this is mostly tested on Macs, since that's what we run here, if you run windows or Linux, you're kinda on your own:

 

• Check OpenSSL version on your Mac by typing command "openssl version", mine is OpenSSL 0.9.8zc 15 Oct 2014.  If you're at least this version, the instructions below should work. 
• Next run this command:

openssl req -x509 -key ~/<your ssh key folder>/<your private key> -days 1500 -newkey rsa:2048 -out ~/<your ssh key folder>/<your username>_pub.pem

 

• You can accept the default for every prompt it asks you after.  None of it is really relevant.  If you don't put the flag of -days 1500 (5 years), the default period will be 30 days.
• Upload resulting pem into Aruba via GUI. There's no CLI method that I can find.  Make sure you select format of pem and public certificate for type.
• Add the user that'll use this cert.  You can CLI for this. Format is: "mgmt-user ssh-pubkey client-cert <your uploaded pub key> <user name> <role>"
• Lastly, enable public key certs by going to the GUI and selecting the "Client Public Key" option under SSH Auth method.  You can cli as well, but if you do this, your backup controller will not have the option propogated over.  this is obviously a bug, and this is the workaround for it so far.

That's it, now you need to do it for your backup controllers and then you can finally turn off your RADIUS or TACACS server to the controllers.   I'd still recommend having username/password for the admin account just in case your keys get borked or your laptop dies.

 

Let me know if this works for anyone else!

 

Sy. This work for me. Thanks for the simple instructions.

This worked great for me also. One note. If you have a lot of private ssh keys on your host you might have to edit your .ssh/config to present just the correct key or you can not login with just a password. 

now it is 2021, i have a aruba controller with AOS8 and still the same problem.
this solution here does not work for me, because openssl does not accept my private id_rsa
"unable to load Private Key
139738545255552:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY"

I try also with a new key who has openssl generate if i am not give them a -key, but then i must set a password to it and
ssh test@10.7.18.80 -i privkey.pem
ask me for the private key password first and does not work too.

Are they other solutions?

------------------------------
Marian Knichala
------------------------------

Original Message:
Sent: Apr 28, 2015 05:56 PM
From: Justin Clark
Subject: OpenSSH Public Key Authentication

Ok, I bashed on this for an hour and finally managed to get this working.  Not sure if its still relevant to anyone, but this is how you convert your openssh certs to a format that Aruba likes.

 

First this is mostly tested on Macs, since that's what we run here, if you run windows or Linux, you're kinda on your own:

 

• Check OpenSSL version on your Mac by typing command "openssl version", mine is OpenSSL 0.9.8zc 15 Oct 2014.  If you're at least this version, the instructions below should work. 
• Next run this command:

openssl req -x509 -key ~/<your ssh key folder>/<your private key> -days 1500 -newkey rsa:2048 -out ~/<your ssh key folder>/<your username>_pub.pem

 

• You can accept the default for every prompt it asks you after.  None of it is really relevant.  If you don't put the flag of -days 1500 (5 years), the default period will be 30 days.
• Upload resulting pem into Aruba via GUI. There's no CLI method that I can find.  Make sure you select format of pem and public certificate for type.
• Add the user that'll use this cert.  You can CLI for this. Format is: "mgmt-user ssh-pubkey client-cert <your uploaded pub key> <user name> <role>"
• Lastly, enable public key certs by going to the GUI and selecting the "Client Public Key" option under SSH Auth method.  You can cli as well, but if you do this, your backup controller will not have the option propogated over.  this is obviously a bug, and this is the workaround for it so far.

That's it, now you need to do it for your backup controllers and then you can finally turn off your RADIUS or TACACS server to the controllers.   I'd still recommend having username/password for the admin account just in case your keys get borked or your laptop dies.

 

Let me know if this works for anyone else!