Ok so for inbound connection (from my host client to the switch) the only protocol available is ssh-rsa. I can confirm there is no rsa-sha2 available.
Thanks for the answer.
Original Message:
Sent: Aug 19, 2024 07:32 AM
From: Herman Robers
Subject: Aruba 2930F - ssh remote access with public key - ssh-rsa
What you did is enable ssh-rsa to allow the RSA hostkey on your switch. You may need to generate a new hostkey, as disabling the hostkey algorithms seems to be for outbound ssh from the switch (where the switch is the client), what you test is inbound (to the switch) and there the hostkey that is on the switch is what is being used, and your client should accept that (at least, among other acceptable keys).
I'm unsure if you can generate a rsa-sha2 key as during the generation the options are ssh-rsa and ssh-dsa:
sw00(config)# crypto key generate ssh dsa Install DSA host key. rsa Install RSA host key. <cr>
You can check the key type that is in use currently with the command:
sw00(config)# show ip ssh SSH Enabled : Yes Secure Copy Enabled : No TCP Port Number : 22 Timeout (sec) : 120 Rekey Enabled : No Rekey Time (min) : 60 Rekey Volume (KB) : 1048576 Host Key Type : RSA Host Key/Curve Size : 2048 Ciphers : aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr, aes192-cbc,aes128-ctr,aes128-cbc,3des-cbc MACs : hmac-sha2-256,hmac-sha1-96,hmac-md5,hmac-sha1,hmac-md5-96 KEXs : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 Host-Key-Algorithms : x509v3-ssh-rsa,x509v3-sign-rsa2,x509v3-sign-rsa,ssh-dss, rsa-sha2-512,rsa-sha2-256,ssh-rsa
Check the Host Key Type: RSA in the output above.
Note that the Host Key is only used to identify the server (or switch in this case), and if you have public key authentication, the worst thing that can happen may be that (after breaking a SHA1 hash), someone can impersonate the switch.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 14, 2024 04:41 AM
From: dorenopitoki
Subject: Aruba 2930F - ssh remote access with public key - ssh-rsa
Hello,
I enabled public key for ssh access on my aruba switches.
ip ssh
no ip ssh host-key-algorithm ssh-rsa
no ip ssh host-key-algorithm ssh-dss
no ip ssh host-key-algorithm x509v3-ssh-rsa
no ip ssh host-key-algorithm x509v3-sign-rsa2
no ip ssh host-key-algorithm x509v3-sign-rsa
aaa authentication ssh login public-key none
aaa authentication sh enable public-key
Only rsa-sha2-512,rsa-sha2-256
for Host-Key-Algorithm are enabled.
On my client side, I've generated rsa key pair with: ssh-keygen -t rsa-sha2-512 -b 3072
If I check the signature:
ssh-keygen -l -f C:\Users\doritolo\.ssh\id_rsa
3072 SHA256:SIGKEY lab\doritolo@PC1 (RSA)
It look like it is not SHA512.
I've imported the public key on the switch with: copy tftp pub-key-file 10.1.1.100 pub_key.txt manager
When I try to log in, It prompt me for a password, meaning pub key auth is not working as it should be.
With debug log, I can see that there is no mutual signature algorithm:
ssh -vvv -i C:\Users\doritolo\.ssh\id_rsa manager@10.1.1.150
[...]
send_pubkey_test: no mutual signature algorithm
If I add in my config file: PubKeyAcceptedKeyTypes +ssh-rsa
It works now...
I'm using OpenSSH for Windows 9.5p1 (december 2023 release)
ssh-rsa is deprecated because of sha-1, and as I disabled ssh-rsa on aruba, it should not require ssh-rsa.
I don't know why I need to allow it from the client to make it work.
Do you have any info on this ?