I'm going to guess a software

sun_sazanov · ‎05-12-2016

Hi.

I have ASA 5515-X with "Cisco Adaptive Security Appliance Software Version 9.4(2)11".

I configure ssh public key authentication (RSA 2048).

aaa authentication ssh console LOCAL

username asauser password XXXXXXXXXXXXXXXX encrypted privilege 15

username asauser attributes
service-type admin
ssh authentication publickey YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY hashed

When i connect putty with instakk key, i can see messages:

"Authenticating with public key "rsa-key-2048" from agent
Server refused public-key signature despite accepting key!

"

And password promt

============================================================

In ASA debug ssh 10:

Device ssh opened successfully.
SSH1: SSH client: IP = '192.168.60.100' interface # = 3
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-2.0-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25
SSH1: receive SSH message: 83 (83)
SSH1: client version is - SSH-2.0-PuTTY_Snapshot_2016_04_08.f0f19b6

client version string:SSH-2.0-PuTTY_Snapshot_2016_04_08.f0f19b6

SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes256-ctr hmac-sha1 none
SSH2: kex: server->client aes256-ctr hmac-sha1 none
SSH2 1: expecting SSH2_MSG_KEXDH_INIT
SSH2 1: SSH2_MSG_KEXDH_INIT received
SSH2 1: signature length 271
SSH2: kex_derive_keys complete
SSH2 1: newkeys: mode 1
SSH2 1: SSH2_MSG_NEWKEYS sent
SSH2 1: waiting for SSH2_MSG_NEWKEYS
SSH2 1: newkeys: mode 0
SSH2 1: SSH2_MSG_NEWKEYS receivedSSH(asauser): user authen method is 'use AAA', aaa server group ID = 1
SSH(asauser): user authen method is 'use AAA', aaa server group ID = 1

SSH2 0: key lookup succeeded
SSH2 1: Sent SSH2_MSG_USERAUTH_PK_OK to client
SSH2 0: channel window adjust message received 8233SSH(asauser): user authen method is 'use AAA', aaa server group ID = 1

public key pkt

00000014d1f329cb b889102384e5df4f f80c3ed980b03efc 3200000008767361
7a616e6f76000000 0e7373682d636f6e 6e656374696f6e00 0000097075626c69
636b657901000000 077373682d727361 0000011500000007 7373682d72736100
0000012500000101 00b33b265333d53a 724f2ae9af23ac7a fe4b8b9e27197ea6
0fb72e5a3c478597 3ab07cdf2f8d3b1b ce332b5d1662b7b7 5a9f4098eac9f361
20bfc7ae3d897a58 21d87ddc7884e3e9 79f4dbf207fa0119 80cc054a6bc94c02
3dff6dea738668a3 ea7e1b16bf4e5c37 67cf0716bc81cf6c 129e9e4a5dc01875
ac668da532834c13 1ce857d33548c36b 722ad831f569a4c0 0f732a165e99c138
2afbed6e9a6c4433 48862fdd9b45883c ec0f4f5b1ada8ffd 9ba2c31b08800acc
d537bc9ed82a5a09 cb4bb50f8dd33483 184595c9bad651e9 017a573e094a15b8
cd2640a735042a6f 9fa688fd78d0aff0 570700de7686bf26 af7408d56fc68b35
8a4e1bcdda8bfd7e e1

SSH2 0: key lookup succeeded
SSH2 0: Signature verification succeeded

How i can fix it, and auth over rsa pub key?

Best regurds,

Slava

Philip D'Ath · ‎05-12-2016

I'm going to guess a software bug. I don't use that exact feature, but 9.6(1) has been working pretty good for us.

sun_sazanov · ‎05-13-2016

Tnahks,

Best regurds,

Slava

Cisco ASA ssh public key authentication