05-01-2012 02:48 PM - edited 05-01-2012 02:49 PM
Has anyone managed to get public key authentication working with Aruba Controller and OpenSSH? I saw the KB article and after mouthing "WTF? Seriously?" I managed to get OpenSSH's ssh-keygen to convert a RSA public key to a PEM. Sadly the controller is rejecting it as if it's not really a PEM or whatever internal reason it doesn't want to cough up.
I'm not interested in generating a CA and shouldn't have to. In my case it would weaken security as I myself have avoided running a proper CA setup. This is SSH not SSL. I guess I'm too busy being shocked that this thing doesn't support OpenSSH pub keys out of the box and it looks like PuTTY mainline lacks X509 support. Also I guess I can't have multiple SSH keys for user as in one for each client machine?
Has anyone figured out interop with OpenSSH yet?
Solved! Go to Solution.
05-01-2012 05:58 PM
Here is what worked for me in the past:
1. Generate a client cert using openssl.
2. Upload the client cert (without private key) to the controller as Certificate type = Public Cert
Management -> Certificates -> Upload
3. Enable SSH authentication using client public key on the controller
Management -> General
4. Add a management user (to use SSH public key)
Management -> Administration -> Add User
On a linux machine:
5. Copy the client certificate private key to the user’s directory ~/.ssh/ folder
6. Change its owner to the user and its access permissions to 600.
7. Optionally rename it to id_rsa
8. if not renamed, run the following command:
“ssh -i ~/.ssh/<private key> <username>@<controller IP address>” // username should match user created on controller
9. You may get prompted for the private key passcode if set, and once entered you will get the controller prompt.
Let me know how it goes.
05-01-2012 11:33 PM - edited 05-01-2012 11:37 PM
Thanks but that is pretty much the same as what is in the KB article and I frankly don't understand why any of it is necessary.
Is there no way to use the defacto standard OpenSSH public keys or even a PuTTY public key? I have existing keys that I want to use and I want to be able to use those keys with a wide range of devices. The Aruba controllers stand alone as the only thing I have access to that supports pubkey auth that doesn't directly handle these keys or offer a clear conversion path or tool (ala PuTTYgen).
I'm not even sure what certificate format it's expecting as I've used the OpenSSH ssh-keygen tool to generate a PEM but the controllers reject the resulting file with a non-helpful error.
Sorry if I come across as cranky but I'm honestly stupified at the process layed out in the KB article for something as simple as handling an SSH key...
Thanks for your help so far.
05-02-2012 07:53 AM
I recommend you not try to use this feature. The reason it is there is for smart card users (the US military CAC to be specific), and the feature is optimized for someone who already has a certificate and needs to get it to work with SSH. Trying to go the other direction is just asking for pain, as you've seen.
I'll enter an enhancement request for allowing entry of SSH pubkeys directly. That should not be too complex to support. I'm actually a little surprised that in 9 years and over 2000 enhancement requests filed, nobody has asked for this before.
Jon Green, ACMX, CISSP
05-03-2012 11:38 PM
04-28-2015 02:56 PM
Ok, I bashed on this for an hour and finally managed to get this working. Not sure if its still relevant to anyone, but this is how you convert your openssh certs to a format that Aruba likes.
First this is mostly tested on Macs, since that's what we run here, if you run windows or Linux, you're kinda on your own:
- Check OpenSSL version on your Mac by typing command "openssl version", mine is OpenSSL 0.9.8zc 15 Oct 2014. If you're at least this version, the instructions below should work.
- Next run this command:
openssl req -x509 -key ~/<your ssh key folder>/<your private key> -days 1500 -newkey rsa:2048 -out ~/<your ssh key folder>/<your username>_pub.pem
- You can accept the default for every prompt it asks you after. None of it is really relevant. If you don't put the flag of -days 1500 (5 years), the default period will be 30 days.
- Upload resulting pem into Aruba via GUI. There's no CLI method that I can find. Make sure you select format of pem and public certificate for type.
- Add the user that'll use this cert. You can CLI for this. Format is: "mgmt-user ssh-pubkey client-cert <your uploaded pub key> <user name> <role>"
- Lastly, enable public key certs by going to the GUI and selecting the "Client Public Key" option under SSH Auth method. You can cli as well, but if you do this, your backup controller will not have the option propogated over. this is obviously a bug, and this is the workaround for it so far.
That's it, now you need to do it for your backup controllers and then you can finally turn off your RADIUS or TACACS server to the controllers. I'd still recommend having username/password for the admin account just in case your keys get borked or your laptop dies.
Let me know if this works for anyone else!
12-14-2015 01:59 PM - edited 12-14-2015 03:30 PM
If my post is helpful please give kudos, or mark as solved if it answers your post.
ACCP, ACMP, ACMX #294
01-08-2016 01:12 PM
This worked great for me also. One note. If you have a lot of private ssh keys on your host you might have to edit your .ssh/config to present just the correct key or you can not login with just a password.