Security

 View Only
  • 1.  ClearPass SSH Public-Private Key Failure

    Posted 15 days ago

    Good day. 

    I want to make use of SSH Public-Private Keys to log into my ClearPass server. 

    I did create the Key on SecureCRT and have added it to the Clearpass server under  Server>Network>SSH Public Keys

    However, if I SSH to the ClearPass Server, I am still able to access it without the Key.  

    Am I missing something ?   Is there a guide of how to configure SSH to make use of the Key on the ClearPass side ?

    Thanx in advance 

    I am running Clearpass 6.9.13. 



  • 2.  RE: ClearPass SSH Public-Private Key Failure

    Posted 15 days ago

    Hello,
    Have you more or less followed these steps taken from another forum post?

    Configuration:

    Setting up public-key authentication using SSH:

    1. Please login to the CLI of OSX or Linux system and execute the below command to generate RSA private key and Public Key:

     ssh-keygen -t rsa

    2. You will be prompted to supply a filename (for saving the key pair) and a password (for protecting your private key):
                      A. Filename: To accept the default filename (and location) for your key pair, press Enter or Return without entering a filename.
                      Alternatively, you can enter a filename (e.g., my_ssh_key) at the prompt, and then press Enter or Return.

    3. Password: Enter a password that contains at least five characters, and then press Enter or Return. If you press Enter or Return without entering a password, your private key will be generated without password-protection. 

    4.Your private key will be generated using the default filename (e.g., id_rsa) or the filename you specified (e.g., my_ssh_key), and stored on your computer in a .ssh directory off your home directory (e.g., ~/.ssh/id_rsa or ~/.ssh/my_ssh_key).
    The corresponding public key will be generated using the same filename (but with a .pub extension added) and stored in the same location  Once the RSA keygen is created it will show you the location where the files  are saved

    5. Please open the Public Key file using:

       cat /root/.ssh/id_rsa.pub

    6. Please navigate to Administration > Server Manager > Server Configuration > Network and click on "Add Publick Key" .

    7. Copy and Paste the Public Key in the space provided.

    8. Now you can login to the Server from your local system.

     



    Verification

    Login to using private key:

    1. In order to login  On the SSH command line: Add the "-i" flag and the path to your private key.

    For example, to invoke the private key id_rsa , stored in the /root/.ssh/ directory, when connecting to your account on a remote host (e.g., appadmin@<CPPM-IP/Hostname>), enter:

    ssh -i /root/.ssh/id_rsa appadmin@<hosname/IP>
    

    2. It will prompt you to enter the private key passphrase to decrpt the encrypted private key file, please provide the same pass-phrase which was given during RSA creation.

    3. Please ignore the warning which it will prompt when you connect for the first time as that device is not in the list of Known Clients. 

    4. Once you provide input as "Yes" it will be automatically added to the list of Known hosts, and allow you access to the CPPM Command Line.

     

     Best Regards



    ------------------------------
    Daniel Ruiz
    -----------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support.
    Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------



  • 3.  RE: ClearPass SSH Public-Private Key Failure

    Posted 15 days ago
    Edited by JJ5 15 days ago

    Good Day.  

    Thank you for the reply.  

    I am using SecureCRT.  So I have created the Public key from there

    https://www.vandyke.com/support/tips/publickeyauth.html

    I then added it to Clearpass, as per your post. 

    However.  When I open SSH from "another client" without a key it just ask for a username & password and connects.




  • 4.  RE: ClearPass SSH Public-Private Key Failure

    Posted 15 days ago

    Just because you can login with a key, doesn't mean that the login is restricted to only with a key.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: ClearPass SSH Public-Private Key Failure

    Posted 15 days ago

    Yes chulcher.

    That is exactly my point / question.

    If I log in from "another client" without a key - it only asks for a username & password.  No Key Required




  • 6.  RE: ClearPass SSH Public-Private Key Failure

    Posted 15 days ago

    Yes.  Exactly my point.  Enabling public key doesn't disable non-public key logins.

    https://arubanetworking.hpe.com/techdocs/ClearPass/6.12/PolicyManager/Content/Hardening/Locking%20Down%20Administrative.htm

    If you don't want someone logging in with user/pass credentials, set the password to something extraordinarily complex and don't save anywhere.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: ClearPass SSH Public-Private Key Failure

    Posted 6 days ago

    To my understanding, an SSH server can be enabled for public-key and/or password authentication. The client will then decide to use the public-key or the password, I don't think you can do both, but you can put a password on your private key which is checked on your client, not on the server.

    When an SSH client connects, it negotiates which authentication method is used. And by default, if a public-key is configured on the client, that will be tried first, if that doesn't work, or if no key is available to the client, it will attempt username-password authentication. Exactly what you see; and it's either public-key OR password used for a login session, not both.

    I don't think you can disable password authentication in ClearPass.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------