cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
786
Views
0
Helpful
2
Replies

NSO Public key authentication to device

dnae
Level 1
Level 1

Hello all,

I have an issue trying to set up public key authentication with an iosxr device.

I have generated the public key (ssh-keygen -t rsa), copied it to the device. I have also added it to NSO and created an authgroup that uses the private key.

Regular ssh (from the NSO host) works ok using public key authentication:

ssh nso@10.10.10.10 -i /home/nso/.ssh/nso_admin -s netconf

Thu May 19 16:33:39.940 UTC

<?xml version="1.0" encoding="UTF-8"?>

<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

...

</hello>

]]>]]>

 

However, when i try to do a sync-from via NSO:

devices device test-device sync-from               

result false

info Failed to connect to device test-device: closed

 

A debug of the SSH session shows the following error:

RP/0/RP0/CPU0:May 19 16:00:29.249 UTC: SSHD_[67379]: User:nso,service:ssh-connection,Method:publickey

RP/0/RP0/CPU0:May 19 16:00:29.249 UTC: SSHD_[67379]: (sshd_authenticate) RSA based authentication requested

RP/0/RP0/CPU0:May 19 16:00:29.249 UTC: SSHD_[67379]: (sshd_authenticate) Requested public-key algorithm rsa-sha2-512 not supported

 

During a regular ssh login (that works) i get a different message:

RP/0/RP0/CPU0:May 19 16:39:54.102 UTC: SSHD_[67567]: User:nso,service:ssh-connection,Method:publickey

RP/0/RP0/CPU0:May 19 16:39:54.102 UTC: SSHD_[67567]: (sshd_authenticate) RSA based authentication requested

RP/0/RP0/CPU0:May 19 16:39:54.102 UTC: SSHD_[67567]: (sshd_authenticate) bool: 1, Pub Alg: ssh-rsa

 

My first thought was to go and change the device public key algorithms and restrict to ssh-rsa

# show running-config devices device test-device ssh-algorithms public-key

 ssh-algorithms public-key [ ssh-rsa ]

But this doesn't work, it's most likely related to the hostkey not the user authentication key.

Any hints on how to solve this? I'm guessing i have to specify somewhere the user auth key exchange algorithm, but i haven't found where.

2 Replies 2

Nabsch
Spotlight
Spotlight

Hello,

 

Can you specify NSO version ?

 

Can you provide us the output of the command 

 

show devices device <YOUR_DEVICE> active-settings ssh-algorithms

Sure, i'm running version 5.6.4. Here is the output of the command:

 

show devices device test-device active-settings ssh-algorithms

active-settings ssh-algorithms public-key [ ssh-rsa ]

active-settings ssh-algorithms kex [ curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 curve448-sha512 ecdh-sha2-nistp521 diffie-hellman-group15-sha512 diffie-hellman-group16-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 ]

active-settings ssh-algorithms mac [ AEAD_AES_128_GCM AEAD_AES_256_GCM hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-256 hmac-sha1 ]

active-settings ssh-algorithms cipher [ aes128-gcm@openssh.com AEAD_AES_128_GCM chacha20-poly1305@openssh.com aes256-gcm@openssh.com AEAD_AES_256_GCM aes128-ctr aes192-ctr aes256-ctr ]

active-settings ssh-algorithms compression [ none zlib zlib@openssh.com ]

active-settings ssh-algorithms dh-group min-size 1024

active-settings ssh-algorithms dh-group preferred-size 2048

active-settings ssh-algorithms dh-group max-size 8192