Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

2930F multiple user SSH Key Auth

This thread has been viewed 5 times

  • 1.  2930F multiple user SSH Key Auth

    Posted Mar 04, 2019 05:35 PM

    We'd like to setup SSH key authentication for multiple admins, while retaining password auth for the 'manager' and 'operator' accounts.

     

    Has anyone got this working?

     

    The only way to specify keys seems to relate to the 'manager' or 'operator' accounts?

     

    ip ssh public-key manager username <username> <key>

     

     

    We've got multiple admins working with password auth as follows:

     

    aaa authentication local-user "user1" group "Level-15" password sha1 <hash>

    aaa authentication local-user "user2" group "Level-15" password sha1 <hash>

     

    password operator user-name "readonly" sha1 <hash>

    password manager user-name "readwrite" sha1 <hash>

     

     



  • 2.  RE: 2930F multiple user SSH Key Auth

    Posted May 15, 2019 07:11 AM

    Hi Chris, did you work out a resolution for this, I want to do the same thing!



  • 3.  RE: 2930F multiple user SSH Key Auth

    Posted May 15, 2019 04:50 PM

    Hi Rafter,

     

    No sadly we didn't get this working - still not sure it is actually possible.



  • 4.  RE: 2930F multiple user SSH Key Auth
    Best Answer

    Posted May 17, 2019 05:03 PM

    I recently set up SSH key auth across all of our HP/Aruba gear in our environment. To my knowledge, it is not possible to set up individual user names on Procurve/ArubaOS devices. You can change the username for the operator and manager accounts, but you can't set up multiple operator/manager accounts with different usernames. However, you can set it up so that you have multiple RSA keys associated with the operator and manager accounts, so your users would be able to log in using the same username but with their specific key. ArubaOS-CX does support individual users with SSH keys, however. HTH.



  • 5.  RE: 2930F multiple user SSH Key Auth
    Best Answer

    Posted May 21, 2019 12:38 PM

    Hi guys, thanks for feeding back.

    I've had further look into it.  I've worked out the way of importing the SSH public keys (restricted to 10) and login with those for different users:

     

    Create the extra user(s) as normal,set password, I've used Level-15 for full access but Level-1 if just want operator access - group not relevent if importing keys to use at manager level:

      aaa authentication local-user "$username$" group "Level-15" password plaintext

     

    Then copy the SSH public keys to the public keys store - note the append (that will enable importing and storing more than 1 key - appeas to be a 10 maximum) and the manager access level (operator also available then you could use "enable" for higher priviledges if needed - which would match the above role group set on the user).

      copy tftp pub-key-file $tftp-server-ip$ $key-file-name$ manager username $username$ append

     

    Set SSH authentication to use public-key (can set failback here and two factor although I've not)

      aaa authentication ssh login public-key

     

    Thats it.

    Other helpful commands:

    show crypto client-public-key (show what keys been imported)

    clear crypto client-public-key (deletes whats been imported)

     

    Hope thats helpful.