now it is 2021, i have a aruba controller with AOS8 and still the same problem.
this solution here does not work for me, because openssl does not accept my private id_rsa
"unable to load Private Key
139738545255552:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY"
I try also with a new key who has openssl generate if i am not give them a -key, but then i must set a password to it and
ssh
test@10.7.18.80 -i privkey.pem
ask me for the private key password first and does not work too.
Are they other solutions?
------------------------------
Marian Knichala
------------------------------
Original Message:
Sent: Apr 28, 2015 05:56 PM
From: Justin Clark
Subject: OpenSSH Public Key Authentication
Ok, I bashed on this for an hour and finally managed to get this working. Not sure if its still relevant to anyone, but this is how you convert your openssh certs to a format that Aruba likes.
First this is mostly tested on Macs, since that's what we run here, if you run windows or Linux, you're kinda on your own:
- Check OpenSSL version on your Mac by typing command "openssl version", mine is OpenSSL 0.9.8zc 15 Oct 2014. If you're at least this version, the instructions below should work.
- Next run this command:
openssl req -x509 -key ~/<your ssh key folder>/<your private key> -days 1500 -newkey rsa:2048 -out ~/<your ssh key folder>/<your username>_pub.pem
- You can accept the default for every prompt it asks you after. None of it is really relevant. If you don't put the flag of -days 1500 (5 years), the default period will be 30 days.
- Upload resulting pem into Aruba via GUI. There's no CLI method that I can find. Make sure you select format of pem and public certificate for type.
- Add the user that'll use this cert. You can CLI for this. Format is: "mgmt-user ssh-pubkey client-cert <your uploaded pub key> <user name> <role>"
- Lastly, enable public key certs by going to the GUI and selecting the "Client Public Key" option under SSH Auth method. You can cli as well, but if you do this, your backup controller will not have the option propogated over. this is obviously a bug, and this is the workaround for it so far.
That's it, now you need to do it for your backup controllers and then you can finally turn off your RADIUS or TACACS server to the controllers. I'd still recommend having username/password for the admin account just in case your keys get borked or your laptop dies.
Let me know if this works for anyone else!