09-25-2013 02:00 AM - edited 03-07-2019 03:40 PM
Hello,
I am in the process of exchanging c2950 with c2960s (15.2.1.E switches and want to take advantage of public key login with openssh for administrative tasks. Right now I can login using openssh and any user (for example "tom") that is known to the RADIUS server in place. I want to have a user "nms" on my solaris machine with its key pair that is able to login to the switches using the public key login. Now, I looked around and found stuff which, to me, should work, but it does not.
When my "nms" user tries to login with public key from the solaris machine, he only gets the motd banner and and "% Authorization failed." message and on the switch the debug show "AAA/AUTHOR/EXEC(00000070): Authorization FAILED". The login with a password however works just fine.
Bellow the details on the freeradius user config for "nms", how the key pair was generated, the cisco configuration I did to try to make public key auth work and the debugs (with password and with public key) on the switch. I think I am almost there but a little detail must be missing.
Thank you in advance for your help.
tom
## ----------------------------------------------------------------------
## FREERADIUS USER CONFIG
nms Cleartext-Password := "PASSWORD_FOR_NMS_USER"
Service-Type == NAS-Prompt-User,
Cisco-AVPair += "shell:priv-lvl=15"
## ----------------------------------------------------------------------
## GENERATING NEW OPENSSH KEY PAIR
solaris# ssh-keygen -t rsa -b 2048 -C nms -f id_rsa.nms
solaris# awk '{print $1}' id_rsa.nms.pub
ssh-rsa
solaris# ssh-keygen -l -f id_rsa.nms.pub | tr -d : | tr '[:lower:]' '[:upper:]' | awk '{print $2}'
9C4EB16E472F1B131817B894962FEDA8
## ----------------------------------------------------------------------
## CISCO CONFIGURATION
cisco# sh run | i aaa
aaa new-model
aaa authentication login default group radius local
aaa authorization console
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common
cisco(config)# ip ssh pubkey-chain
cisco(conf-ssh-pubkey)#user
cisco(conf-ssh-pubkey)#username nms
cisco(conf-ssh-pubkey-user)#key-hash ssh-rsa 9C4EB16E472F1B131817B894962FEDA8
cisco(conf-ssh-pubkey-user)#exit
cisco(conf-ssh-pubkey)#exit
cisco(config)#exit
## ----------------------------------------------------------------------
## CISCO LOGS
cisco# debug ip ssh detail
cisco# debug aaa authorization
cisco# debug aaa authentication
## ......................................................................
## LOGGING IN WITH PASSWORD FROM SOLARIS (ssh nms@cisco) WORKS:
000932: Sep 25 10:39:06 MEST: SSH1: starting SSH control process
000933: Sep 25 10:39:06 MEST: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
000934: Sep 25 10:39:06 MEST: SSH1: protocol version id is - SSH-2.0-OpenSSH_5.6
000935: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_KEXINIT sent
000936: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_KEXINIT received
000937: Sep 25 10:39:06 MEST: SSH2 1: kex: client->server enc:aes128-cbc mac:hmac-md5
000938: Sep 25 10:39:06 MEST: SSH2 1: kex: server->client enc:aes128-cbc mac:hmac-md5
000939: Sep 25 10:39:06 MEST: SSH2 1: Using kex_algo = diffie-hellman-group-exchange-sha1
000940: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
000941: Sep 25 10:39:06 MEST: SSH2 1: Range sent by client is - 1024 < 1024 < 8192
000942: Sep 25 10:39:06 MEST: SSH2 1: Modulus size established : 1024 bits
000943: Sep 25 10:39:06 MEST: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT
000944: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_KEXDH_INIT received
000945: Sep 25 10:39:06 MEST: SSH2: kex_derive_keys complete
000946: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_NEWKEYS sent
000947: Sep 25 10:39:06 MEST: SSH2 1: waiting for SSH2_MSG_NEWKEYS
000948: Sep 25 10:39:06 MEST: SSH2 1: SSH2_MSG_NEWKEYS received
000949: Sep 25 10:39:06 MEST: SSH2 1: Using method = none
000950: Sep 25 10:39:06 MEST: SSH2 1: Using method = keyboard-interactive
000951: Sep 25 10:39:06 MEST: AAA/BIND(0000006F): Bind i/f
000952: Sep 25 10:39:06 MEST: AAA/AUTHEN/LOGIN (0000006F): Pick method list 'default'
000953: Sep 25 10:39:13 MEST: SSH2 1: authentication successful for nms
000954: Sep 25 10:39:13 MEST: SSH2 1: channel open request
000955: Sep 25 10:39:13 MEST: SSH2 1: pty-req request
000956: Sep 25 10:39:13 MEST: SSH2 1: setting TTY - requested: height 26, width 150; set: height 26, width 150
000957: Sep 25 10:39:13 MEST: SSH2 1: shell request
000958: Sep 25 10:39:13 MEST: SSH2 1: shell message received
000959: Sep 25 10:39:13 MEST: SSH2 1: starting shell for vty
000960: Sep 25 10:39:13 MEST: AAA/AUTHOR/EXEC(0000006F): processing AV priv-lvl=15
000961: Sep 25 10:39:13 MEST: AAA/AUTHOR/EXEC(0000006F): processing AV service-type=7
000962: Sep 25 10:39:13 MEST: AAA/AUTHOR/EXEC(0000006F): Authorization successful
## ......................................................................
## LOGGING IN WITH PUBLIC KEY FROM SOLARIS (ssh -i id_rsa.nms nms@cisco) DOES NOT WORK:
000965: Sep 25 10:39:36 MEST: SSH1: starting SSH control process
000966: Sep 25 10:39:36 MEST: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
000967: Sep 25 10:39:36 MEST: SSH1: protocol version id is - SSH-2.0-OpenSSH_5.6
000968: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_KEXINIT sent
000969: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_KEXINIT received
000970: Sep 25 10:39:36 MEST: SSH2 1: kex: client->server enc:aes128-cbc mac:hmac-md5
000971: Sep 25 10:39:36 MEST: SSH2 1: kex: server->client enc:aes128-cbc mac:hmac-md5
000972: Sep 25 10:39:36 MEST: SSH2 1: Using kex_algo = diffie-hellman-group-exchange-sha1
000973: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
000974: Sep 25 10:39:36 MEST: SSH2 1: Range sent by client is - 1024 < 1024 < 8192
000975: Sep 25 10:39:36 MEST: SSH2 1: Modulus size established : 1024 bits
000976: Sep 25 10:39:36 MEST: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT
000977: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_KEXDH_INIT received
000978: Sep 25 10:39:36 MEST: SSH2: kex_derive_keys complete
000979: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_NEWKEYS sent
000980: Sep 25 10:39:36 MEST: SSH2 1: waiting for SSH2_MSG_NEWKEYS
000981: Sep 25 10:39:36 MEST: SSH2 1: SSH2_MSG_NEWKEYS received
000982: Sep 25 10:39:36 MEST: SSH2 1: Using method = none
000983: Sep 25 10:39:36 MEST: SSH2 1: Using method = publickey
000984: Sep 25 10:39:36 MEST: AAA/BIND(00000070): Bind i/f
000985: Sep 25 10:39:36 MEST: SSH2 1: Authenticating 'nms' with method: publickey
000986: Sep 25 10:39:36 MEST: SSH2 1: Client Signature verification PASSED
000987: Sep 25 10:39:36 MEST: SSH2 1: authentication successful for nms
000988: Sep 25 10:39:36 MEST: SSH2 1: channel open request
000989: Sep 25 10:39:36 MEST: SSH2 1: pty-req request
000990: Sep 25 10:39:36 MEST: SSH2 1: setting TTY - requested: height 26, width 150; set: height 26, width 150
000991: Sep 25 10:39:36 MEST: SSH2 1: shell request
000992: Sep 25 10:39:36 MEST: SSH2 1: shell message received
000993: Sep 25 10:39:36 MEST: SSH2 1: starting shell for vty
000994: Sep 25 10:39:36 MEST: AAA/AUTHOR (0x70): Pick method list 'default'
000995: Sep 25 10:39:38 MEST: AAA/AUTHOR/EXEC(00000070): Authorization FAILED
000996: Sep 25 10:39:40 MEST: SSH1: Session terminated normally
10-02-2013 06:45 AM
Success is mine!
After quite some searching I made it work and here is how:
All I had to do is make a small change to what I already described above. The FreeRADIUS user config file was modified in the following way:
nms Auth-Type := Accept, Service-Type == "Dialout-Framed-User"
Cisco-AVPair += "shell:priv-lvl=15"
However, I am not quite sure if this introduces a security risk or not. What do you think?
At least I tried to login without SSH key and the login was denied, so it shouldn't be too bad.
tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide