Network Management

 View Only
last person joined: yesterday 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Expand all | Collapse all

Aruba 2930F - ssh remote access with public key - ssh-rsa

This thread has been viewed 17 times
  • 1.  Aruba 2930F - ssh remote access with public key - ssh-rsa

    Posted Aug 14, 2024 10:04 AM

    Hello,

    I enabled public key for ssh access on my aruba switches.

    ip ssh

    no ip ssh host-key-algorithm ssh-rsa

    no ip ssh host-key-algorithm ssh-dss

    no ip ssh host-key-algorithm x509v3-ssh-rsa

    no ip ssh host-key-algorithm x509v3-sign-rsa2

    no ip ssh host-key-algorithm x509v3-sign-rsa

    aaa authentication ssh login public-key none

    aaa authentication sh enable public-key

    Only rsa-sha2-512,rsa-sha2-256 for Host-Key-Algorithm are enabled.

    On my client side, I've generated rsa key pair with: ssh-keygen -t rsa-sha2-512 -b 3072

    If I check the signature: 

    ssh-keygen -l -f C:\Users\doritolo\.ssh\id_rsa

    3072 SHA256:SIGKEY lab\doritolo@PC1 (RSA)

    It look like it is not SHA512.

    I've imported the public key on the switch with: copy tftp pub-key-file 10.1.1.100 pub_key.txt manager

    When I try to log in, It prompt me for a password, meaning pub key auth is not working as it should be.

    With debug log, I can see that there is no mutual signature algorithm:

    ssh -vvv -i C:\Users\doritolo\.ssh\id_rsa manager@10.1.1.150

    [...]

    send_pubkey_test: no mutual signature algorithm

    If I add in my config file: PubKeyAcceptedKeyTypes +ssh-rsa

    It works now...

    I'm using OpenSSH for Windows 9.5p1 (december 2023 release)

    ssh-rsa is deprecated because of sha-1, and as I disabled ssh-rsa on aruba, it should not require ssh-rsa.

    I don't know why I need to allow it from the client to make it work.

    Do you have any info on this ?



  • 2.  RE: Aruba 2930F - ssh remote access with public key - ssh-rsa
    Best Answer

    Posted Aug 19, 2024 07:33 AM

    What you did is enable ssh-rsa to allow the RSA hostkey on your switch. You may need to generate a new hostkey, as disabling the hostkey algorithms seems to be for outbound ssh from the switch (where the switch is the client), what you test is inbound (to the switch) and there the hostkey that is on the switch is what is being used, and your client should accept that (at least, among other acceptable keys).

    I'm unsure if you can generate a rsa-sha2 key as during the generation the options are ssh-rsa and ssh-dsa:

    sw00(config)# crypto key generate ssh
     dsa                   Install DSA host key.
     rsa                   Install RSA host key.
     <cr>

    You can check the key type that is in use currently with the command:

    sw00(config)# show ip ssh
    
      SSH Enabled     : Yes                 Secure Copy Enabled : No
      TCP Port Number : 22                  Timeout (sec)       : 120
      Rekey Enabled   : No                  Rekey Time (min)    : 60
                                            Rekey Volume (KB)   : 1048576
      Host Key Type   : RSA                 Host Key/Curve Size : 2048
    
      Ciphers : aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,
                aes192-cbc,aes128-ctr,aes128-cbc,3des-cbc
      MACs    : hmac-sha2-256,hmac-sha1-96,hmac-md5,hmac-sha1,hmac-md5-96
      KEXs    : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
      Host-Key-Algorithms    : x509v3-ssh-rsa,x509v3-sign-rsa2,x509v3-sign-rsa,ssh-dss,
                rsa-sha2-512,rsa-sha2-256,ssh-rsa

    Check the Host Key Type: RSA in the output above.

    Note that the Host Key is only used to identify the server (or switch in this case), and if you have public key authentication, the worst thing that can happen may be that (after breaking a SHA1 hash), someone can impersonate the switch.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Aruba 2930F - ssh remote access with public key - ssh-rsa

    Posted Aug 20, 2024 05:52 AM

    Ok so for inbound connection (from my host client to the switch) the only protocol available is ssh-rsa. I can confirm there is no rsa-sha2 available.

    Thanks for the answer.